Re: WWW Form Bug Report: "Security hole in test-cgi" on Linux

[Brian Behlendorf <br...@organic.com>]

Hmm, I couldn't replicate his problem, but given that test-cgi is a SH 
script, maybe it shouldn't be in there, particularly since "printenv" 
(the only other script now in cgi-bin by default) does roughly the same 
thing.

	Brian

On Fri, 31 May 1996, Aram Mirzadeh wrote:
> Thanks for the report.  We'll see about fixing this asap. 
> 
> <Aram>
> 
> >Return-Path: nobody@hyperreal.com
> >From: doug@mitchcraft.com
> >To: awm@qosina.com
> >Date: Thu May 30 23:07:21 1996
> >Subject: WWW Form Bug Report: "Security hole in test-cgi" on Linux
> >
> >Submitter: doug@mitchcraft.com
> >Operating system: Linux, version: 1.2.13
> >Version of Apache Used: 1.0.5
> >Extra Modules used: Stock RedHat
> >URL exhibiting problem: http://www.mitchcraft.com/cgi-bin/test-cgi?word *
> >
> >Symptoms:
> >--
> >The asterisk is being put into the SERVER_PROTOCOL
> >field and because that line of test-cgi is not
> >quoted allows listing of server's files.
> >
> >Mine is now quoted, so try it out.
> >
> >http://www.mitchcraft.com/cgi-bin/test-cgi?word *
> >--
> >
> >Backtrace:
> >--
> >
> >--
> >
> --
> Aram W. Mirzadeh, MIS Manager, Qosina Corporation
> http://www.qosina.com/~awm/, awm@qosina.com
> Apache httpd server team http://www.apache.org
> 
> 
> 
> 

--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
brian@organic.com  |  We're hiring!  http://www.organic.com/Home/Info/Jobs/

Re: WWW Form Bug Report: "Security hole in test-cgi" on Linux

[Brian Behlendorf <br...@organic.com>]

On Sat, 1 Jun 1996, Alexei Kosut wrote:
> You can also use fun things like "/*", followed by "/*/*" and
> "/*/*/*", etc, etc and get yourself a complete directory listing. 

Sigh.  One tries and tries.... 

I'm all for removing it.  Anything wrong with leaving "printenv" there?

	Brian

--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
brian@organic.com  |  We're hiring!  http://www.organic.com/Home/Info/Jobs/

Re: WWW Form Bug Report: "Security hole in test-cgi" on Linux

[Alexei Kosut <ak...@nueva.pvt.k12.ca.us>]

On Sat, 1 Jun 1996, Brian Behlendorf wrote:

> Hmm, I couldn't replicate his problem, but given that test-cgi is a SH 
> script, maybe it shouldn't be in there, particularly since "printenv" 
> (the only other script now in cgi-bin by default) does roughly the same 
> thing.

I can replicate it. Easily. On thousands of Apache systems across the
world.It's an interesting hole. Certainly there's nothing that Apache
can do, since potentially *any* of the variables test-cgi shows will
do that. If we checked the method (as NCSA httpd 1.5.1, at least,
seems to do - not directly for this purpose, but a method of "*" gets
translated to "HTTP" somewhere along the line.), you can still throw in
a Content-location header with "*". Same result.

You can also use fun things like "/*", followed by "/*/*" and
"/*/*/*", etc, etc and get yourself a complete directory listing. Does
this count as a serious security hole yet? Problem is, "/*" might in
fact *be* a legal, say, content type. Case in point: "*/*" is a
perfectly legal Accept: value (it's the default, in fact). We can't
really do anything about passing that on to a CGI script...

Yet another reason not to use shell scripts, I guess.

P.S. Actually, *scratches head*, I can't seem to replicate this on any
NCSA servers. Is it possible they do check for this before sending on
to CGI scripts? As I mentioned, it does normalize protocol versions,
but the Content-length approach doesn't work either. 'Course, I only
tried about three of them (hoohoo, plus two picked at random from
Netcraft's survey), and they may just be machines on OSes that have
shells that don't expand environment variables. 

*shrug*

-- 
________________________________________________________________________
Alexei Kosut <ak...@nueva.pvt.k12.ca.us>      The Apache HTTP Server
URL: http://www.nueva.pvt.k12.ca.us/~akosut/   http://www.apache.org/
 
      "War does not determine who is right, only who is left."