phf:
CVE 1999-0067
The phf cgi program comes with the
NCSA version 1.5 and Apache
1.03 web servers. There may be other distributions that also have
the phf cgi program in the cgi-bin directory. The program relies
on the escape_shell_cmd() function, which can allow execution of
system commands (ex: cat /etc/password). Therefore, if a malicious
user determines that the phf cgi is present
on the system, they can execute commands which have the same privilege
as the web server.
campas:
CVE 1999-0146
The campas cgi program is installed with
older versions of the NCSA web server.
A malicious user may be able to execute commands with the same privilege
of the web server running.
handler:
CVE 1999-0147
The handler cgi is part of the Outbox Environment
subsystem on IRIX
5.x and 6.x systems. The cgi can be manipulated to execute commands
at the privilege level of the web server.
Check to see if the Outbox system is on the system:
% /usr/sbin/versions outbox.sw
I = Installed, R = Removed
Name Date Description
I outbox
03/23/97 Outbox Environment, 1.2
I outbox.sw
03/23/97 Outbox End-User Software, 1.2
I outbox.sw.outbox
03/23/97 Outbox Software Tools, 1.2
I outbox.sw.webdist 03/23/97
Web Software Distribution Tools, 1.2
htmlscript:
CVE 1999-0264
htmlscript "is an HTML
based web development language which provides the power of scripting via
new, easy-to-use tag," according to BugTraq.
The htmlscript, from www.htmlscript.com,
has a vulnerability which allows a malicious user to access files.
The vulnerability exists in 2.99x according to htmlscript. Version
3.x/Miva 1.x does not contain the vulnerability.
php:
CVE 1999-0058
The php is a NCSA
cgi enhancement. The cgi has a vulnerability that lets unauthorized
users view file on the system. The cgi works by sending the path
to the file as an argument to the cgi
http://hostname/cgi-bin/php.cgi?/look-at-this-file
The php.cgi will let the malicious user view any file that the web server has privilege to read.
count:
CVE 1999-0021
The count program is used to count the
number of times a particular web page has been accessed. In the program
there is "...insufficient bounds checking on arguments which are supplied
by users.." There is a possibility of overwrite the stack space and
execute commands. A malicious user can create a specific argument
to the count.cgi and force it to execute commands
with the permission of the web server privileges.
jj:
CVE 1999-0260
jj is a demo cgi program. It does
not check user input to the /bin/mail program. Therefore, a malicious
your can have themselves sent the any output they wish to view. For
example, if the web server is running as root, they may mail themselves
the password file.
pfdispaly:
CVE 1999-0270
The pfdispaly (sic) cgi is part of the IRIS
Performer API Search Tool which is a web based search tool that comes
with the IRIX
6.2-6.4 operating system. The vulnerability could allow access to
files with the privileges of the user "nobody."
faxsurvey:
CVE 1999-0262
The faxsurvey could allow a malicious user
to execute any command they want at the privilege level of the http server.
The cgi is part of the HylaFAX package that can with S.u.S.E.
5.1 & 5.2. Older versions may also be vulnerable.
info2www:
CVE 1999-0266
The info2www
cgi translates the Info Nodes that a user can view in Emacs, to HTML
on the fly. The script is written in perl
and can allow a malicious user to execute system commands at the privilege
level of the web server. Not all of the versions of info2www are
considered vulnerable. The way to determine if you have a vulnerable
script is to see if it at least has a version number and is greater than
version 1.1. If it does not have a version number, then it is most
likely vulnerable and if it is version 1.1, it is also vulnerable.
textcounter:
textcounter
is a perl script that displays a text
based number which is the number of visitors to the web page. The
counter needs to read, write, and create a file to store the number
of visitors. The vulnerability comes from a lack of a test for shell
metacharacters. A malicious user may be able to have perl
execute commands at the web server privilege. Check out BugTraq
to see more information on the vulnerability.
aglimpse/glimpse:
CVE 1999-0148
Glimpse is a search and
indexing tool. aglimpse/glimpse is an
interface to the Glimpse search
tool. The cgi is written in perl.
The vulnerability can allow access to the password by mailing a malicious
user the password file.
WebGais & websendmail:
CVE 1999-0176
CVE 1999-0196
WebGAIS is an interface to the Global
Area Intelligent Search (GAIS) index/search tool. The cgi can
be tricked to execute system commands with the privilege of the web server.
The websendmail is a cgi that comes with the WebGAIS
package. websendmail can be tricked to
send the password file to a malicious user because there is no check on
what type of characters are sent to the perl
cgi. Therefore, a given a certain set of metacharacters, a malicious
user may be able to have the cgi execute system commands with the privilege
of the web server.
perl/perl.exe:
Perl is an interpreted scripting
language. To execute the perl script, the interpreter is used and
the script is executed. However, the interpreter should not be in
the cgi-bin directory of the web server. If there is a perl interpreter
or a link to the interpreter, then a malicious user can do everything the
normal perl interpreter can do from the command
line.
Some very good rules to live by that have been found on the web:
view_source:
CVE 1999-0174
The cgi comes on the SCO Skunkware cdroms.
The cgi is to display documents, however, it does not check the arguments
correctly and therefore can show files with the privilege of the web server.
uploader.exe:
CVE 1999-0177
O'Reilley's web server Website contains a program called
uploader.exe, some versions of which allow any remote
user to upload arbitrary files anywhere on the server. This could be
used to upload executable files into the cgi-bin directory and run
them from the browser, thus allowing an attacker to execute arbitrary
commands on the server.
args.cmd:
This script, found on Website web servers, echos parameters
without checking them for illegal characters. Arbitrary code could be
executed by passing it a parameter containing quote and newline characters.
win-c-sample.exe:
CVE 1999-0178
This script puts input parameters into a fixed-length string without
checking the length of the string, causing a buffer overflow condition.
This condition can be used to execute arbitrary code on the server.
product.asp, product.ast:
CVE 2000-0161
These scripts are sometimes found on Microsoft Site Server 3.0
(Commerce Edition) web servers. The first is part of the Volcano Coffee
sample site. The second is created by the Site Builder wizard. These
scripts accept user input which is put into an SQL query without any
validity checking. A malicious user could supply input which includes
arbitrary SQL commands to Read, Create, Modify, or Delete data.
htsearch:
CVE 2000-0208
This is part of the htdig package. A remote user
can view any file on the system by passing the filename enclosed by
backticks to htsearch as an input parameter.
Versions of htdig prior to 3.1.4 and 3.2.0b1
are vulnerable.
infosrch.cgi:
CVE 2000-0207
This script, found on IRIX systems, allows man pages
and other documentation to be viewed over the web. It does not validate
the "fname" input parameter, which could allow an attacker to execute
arbitrary commands using special shell characters.
ChangeAdminPassword:
This script comes with Cart32, an E-commerce Shopping Cart package.
It allows the administrative password for the Shopping Cart application
to be changed without any knowledge of the previous one. Once the
password is set, it can be used to execute arbitrary commands using
a specially crafted URL.
calendar_admin.pl:
CVE 2000-0432
Matt Kruse's calendar
script prior to version 2.2, and including
version 2.2 if downloaded before 5/17/2000, does not validate the input
provided by the user, thus allowing a remote attacker to issue arbitrary
commands with the privileges of the web server.
counterfiglet:
CVE 2000-0424
The web page access counter script version 4.0.7 by George Burgyan
does not properly validate user input, allowing the remote execution of
commands with the privileges of the web server. The counterfiglet script
is one of a number of links to the counter script. All of the links are
affected in a similar way.
Poll_It:
Poll It is a script
for running online polls and displaying the results. By passing parameters
which overwrite the initial settings in the script, it is possible to
view any file on the system to which the http server has read access.
imagemap.exe:
CVE 1999-0951
This file found on OmniHTTPD web servers contains
a buffer overflow condition which could allow a remote attacker
to gain access to the server. OmniHTTPD 2.4Pro and Omnicron
OmniHTTPD 1.1 are vulnerable.
Big Brother (bb-hostsvc.sh):
CVE 2000-0638
A vulnerability in Big Brother
could allow a remote attacker to read any file on the server
by exploiting the bb-hostsvc.sh script.
query:
CVE 2000-0039
The
AltaVista Search Engine has a vulnerability which could
allow a remote attacker to reconfigure the web server. The query
program allows files in the directory above it to be viewed. An
attacker could find encoded passwords in one of these files,
decrypt them, and use them to log into the online configuration
tool.
dbconnect.inc:
CVE 2000-0707
This file, included with the PCCS MySQL Database Admin Tool,
reveals the plain text administrator password. The tool also
allows any remote user to administer the database.
netauth.cgi:
CVE 2000-0782
Netauth is a web-based
e-mail management system. It is possible to view arbitrary files on the
system by supplying a specially crafted input parameter.
htgrep:
This script allows the user to specify
header and footer files to be appended
to the search output. By specifying an
absolute pathname, an attacker could view
any file which is readable by the web server
process.
BBoardServlet:
SUN's Java Web Server comes with a number of
example applications. One of these, the Bulletin
Board application, allows a remote user to upload
arbitrary JSP code to the server. It is then possible
to cause the servlet which executes JSP code to
execute the uploaded file by manually prepending
servlet/ to its pathname. An attacker
could execute arbitrary code in this manner.
YaBB.pl:
Yet another Bulletin Board (YaBB) is an
Open Source bulletin board system. Due to a lack of variable checking, it
can be exploited to view any file on the system.
vtopic:
This file is the search function used by the SCO
UnixWare 7 scohelphttp web server. Due to a lack of variable
checking, it can be exploited to view any world-readable file
on the system, including /etc/passwd.
multihtml:
The MultiHTML script allows SSI calls to be placed in
web pages to include the same HTML file in multiple pages.
The script can be tricked into revealing arbitrary files by
including a null character in the filename.
ssi:
The ssi script is part of
thttpd. A lack of parameter checking
in ssi, combined with the fact that
thttpd translates hexadecimal codes
after removing illegal "../" strings, could allow
a remote attacker to view arbitrary files.
shopping_cart.mdb
This file is the database used by CyberOffice
Shopping Cart. By default, any web user can download
this file, thereby gaining access to customer information,
including credit card information.
webplus:
CVE 2000-0282
This script is part of the Web+ e-commerce server by
Talentsoft.
It is the interface to the webpsvr daemon,
which is the driving process for the software. A lack
of parameter checking could allow a remote attacker to
view arbitrary files on the system.
phf:
It is recommend that you remove the cgi from the cgi-bin directory.
The program is not required to run the web server.
campas:
It is recommend that you remove the cgi from the cgi-bin directory.
The program is not required to run the web server.
handler:
There are patches available from SGI FTP
site.
You may also remove the Outbox subsystem if there is no need for it
being installed.
htmlscript:
Upgrade to the newest version which can be found at the htmlscript.com
website.
php:
The author has the following solution, in the php.h file add the line:
#define PATTERN_RESTRICT ".*\\phtml$"
that will restrict the php.cgi to viewing files with phtml as the extension. The current version can be found http://www.vex.net/php. For more details, see here.
count:
It is recommended to upgrade to the latest
version. An alternative to upgrading is to remove the execute permissions
from the cgi, however, this will cause the counter on the web page not
to work correctly. The rest of the web page should continue to look
the same. For more details, see the CERT advisory.
The version to at least upgrade to is 2.4.
jj:
Since the program is a demo, it is recommend that it be removed from
the cgi-bin directory.
pfdispaly:
Change the permissions of the cgi: /bin/chmod 500 /var/www/cgi-bin/pfdispaly.cgi
The permission should be -r-x------. BugTraq
has information about the pfdispaly vulnerability.
faxsurvey:
There have been a variety of attempts made to fix the code in faxsurvey.cgi.
However, the best thing to do is remove it from the cgi-bin directory if
there is no need for the cgi.
info2www:
It is recommended that the script is updated to the latest, version
1.2. You can read about the vulnerability at BugTraq.
textcounter:
To fix the vulnerability add the line after line 91 (taken from BugTraq):
$count_page = "$ENV{'DOCUMENT_URI'}";
# the original 91 line ....
$count_page =~ s/([^a-z0-9])/sprintf("%%%02X",$1)/ge;
# ADD THIS !!!!!
aglimpse/glimpse:
GlimpseHTTP
is no longer available for updating, however, there is a new Glimpse interface
called
WebGlimpse. It is recommended
that the system be updated with WebGlimpse.
webgais & websendmail:
The best thing to do is upgrade to the latest version of the WebGAIS
package. After getting the latest version, disable the websendmail
cgi that is included in the package.
perl/perl.exe:
Remove the links and binaries of the perl
interpreter from the cgi-bin directory.
www-sql:
It is recommended that the script is updated to the latest
version.
view_source:
According to BugTraq
it is best to remove the cgi.
Whether any machines on your network are susceptible to this vulnerability or not, you should consider taking this opportunity to examine your entire httpd configuration schemes. In particular, all CGI programs that are not required should be removed, and all those remaining should be examined for possible security vulnerabilities. It is also important to ensure that all child processes of httpd are running as a non privileged user. This is often a configurable option. See the documentation for your httpd distribution for more details.
uploader.exe:
Delete uploader.exe from the system. Use ftp
to upload files.
args.cmd:
Delete args.cmd. It is provided as a sample program
and is not needed on an operational web server.
win-c-sample.exe:
Delete win-c-sample.exe. It is provided as a sample
program and is not needed on an operational web server.
product.asp, product.ast:
Install a patch. See the
Microsoft Security Bulletin for patch information.
htaccess:
Upgrade to the latest version of htdig.
infosrch.cgi:
Remove or disable infosrch.cgi.
ChangeAdminPassword:
On Windows NT, change the permissions on c32web.exe so that it is only accessible
by administrators. On Windows 95 or 98, remove c32web.exe.
Alternatively, apply the patch developed by
L0pht.
calendar_admin.pl:
Download the latest version from
http://www.mattkruse.com/scripts/calendar, or make the following change to
both calendar.pl and calendar_admin.pl:
After the line:
&ReadParse;Insert the lines:
$in{config} =~ s|[^\s\w\.\/]||g;
$in{template} =~ s|[^\s\w\.\/]||g;
counterfiglet:
The counter script is no longer supported. Delete the counter
script and all of the links to it. If the counter function is needed,
install any of the newer scripts which do the same thing.
Poll It:
In the file cgi-bin/pollit/Poll_It_SSI_v2.0.cgi,
move the line:
%in = &ReadForm;above the local variable initializations, e.g. to line 66.
imagemap.exe:
Remove imagemap.exe from the cgi-bin directory.
Big Brother (bb-hostsvc.sh):
The vulnerability in bb-hostsvc.sh can
be fixed by
upgrading to version 1.4h2 or higher.
query:
Upgrade to the latest version of the
AltaVista Search Engine.
dbconnect.inc:
Secure the pccsmysqladm directory
through the web server.
netauth.cgi:
Download the latest version of
Netauth.
htgrep:
Disable the script, or download
a fixed version when it becomes available.
BBoardServlet:
Disable example applications and the invoker servlet
as follows: In the administration applet under Setup,
remove the File Alias:
/examples $server_home/examples
and remove the Servlet Alias:
/servlet invoker
for both the Web Service and the Secure Web Service. For further instructions on securing Java Web Server, see the document from SUN and CERT Advisory 2000-02.
YaBB.pl:
Install version 9.11.2000 or later,
of add the following line after line 13 in yabb.pl:
if ($viewnum !~ /^[0-9]/) { &fatal_error("This field only accepts numbers from 0-9" ); }
vtopic:
Install a fix from SCO when it becomes available, or
run the following commands to disable the scohelphttp server:
/usr/ns-home/httpd-scohelphttp/stop
/usr/ns-home/httpd-scohelphttp/disable
multihtml:
Install the latest version of MultiHTML.
ssi:
Upgrade to
thttpd version 2.20 or higher.
shopping_cart.mdb:
Set the directory permissions to allow write but not
read. This will enable users to update the database as
required by the application, but not to download it.
webplus:
Upgrade to
Web+ build 512 or later.