Home page logo

bugtraq logo Bugtraq mailing list archives

@stake Advisory: SuSE Apache CGI Source Code Viewing (A090700-2)
From: "@stake Advisories" <advisories () ATSTAKE COM>
Date: Thu, 7 Sep 2000 11:50:46 -0400

Hash: SHA1

                        @stake, Inc.

                     Security Advisory

 Release Date: 09/07/2000
  Application: Apache 1.3.9/12
     Platform: SuSE Linux 6.3 and 6.4
     Severity: An attacker can gain access to source code of
               CGI scripts. As such they may be able to discover
               user IDs and passwords, analyze business logic
               and examine scripts for weaknesses.
       Author: mnemonix (dlitchfield () atstake com)
Vendor Status: Vendor has updated distribution configuration files
          Web: www.atstake.com/research/advisories/2000/a090700-2.txt


        The SuSE distribution of Linux (6.3 and 6.4 - earlier
distributions may also be affected) uses Apache as the web server of
choice (currently 1.3.12 with SuSE 6.4) and is installed by default. Due
to certain settings within the Apache configuration file it is possible
for an attacker to gain access to the source code of CGI scripts. Often
these scripts contain sensitive information such as user IDs and passwords
for database access and business logic. Further to this, gaining access to
the code can allow the attacker to examine the scripts for any weaknesses
that they could then exploit to gain unauthorized access to the server.

Detailed Description:

        Apache reads in its configuration information from a file called
httpd.conf found in the /etc/httpd/ directory (srm.conf and access.conf
have been rolled into httpd.conf). Due to an erroneous setting in this
file it is possible to gain access to the source code of CGI scripts held
in the virtual directory /cgi-bin/. Under normal operation files in this
directory are executed on the server as opposed to being returned to the
client. The setting in httpd.conf that allows execution of CGI scripts and
sets the /cgi-bin as the script directory is:

        ScriptAlias /cgi-bin/ "/usr/local/httpd/cgi-bin"

However, as well as this setting there is also another:

        Alias /cgi-bin-sdb/ /usr/local/httpd/cgi-bin/

This line is the root of the problem. An alias, or virtual directory
called "/cgi-bin-sdb/" has been set up and maps to the same physical
location that the "/cgi-bin" has been mapped to. SuSE should have set this
up as a "ScriptAlias"  rather than just an "Alias". This alias exists to
support searching through SuSE's documentation from the web server but as
it transpires the search engine uses /cgi-bin, anyway - perhaps being the
cause of the oversight. An attacker would simply substitute /cgi-bin/ for
/cgi-bin-sdb/ to gain access to the source code.


        There are two ways to approach this. Using your favourite editor,
e.g. pico or vi, edit httpd.conf. The alias can be removed by placing a #
at the front of line - thus "remming" it out:

        #Alias /cgi-bin-sdb/ /usr/local/httpd/cgi-bin/

As the search engine uses /cgi-bin this will not break any functionality.
The other way of resolving this issue would be to change "Alias" to
"ScriptAlias" so the line would read:

        ScriptAlias /cgi-bin-sdb/ /usr/local/httpd/cgi-bin/

By doing this CGI scripts would now be executed. After making these
changes stop and restart the server.

Vendor Response:

SuSE has updated the Apache distribution package. More information can
be found at http://www.suse.de/de/support/security/

For more advisories: http://www.atstake.com/research/index.html
PGP Key: http://www.atstake.com/research/pgp_key.asc

Copyright 2000 @stake, Inc. All rights reserved.

Version: PGP 6.5.8


  By Date           By Thread  

Current thread:
  • @stake Advisory: SuSE Apache CGI Source Code Viewing (A090700-2) @stake Advisories (Sep 07)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]