HTTP CGI Access

Impact

Local and remote users may be able to execute arbitrary commands on the HTTP server with the privileges of the httpd daemon. This may be used to compromise the HTTP server and, under certain configurations, gain privileged access.

Background

The HyperText Transport Protocol (HTTP) allows a client to access HTML pages and other web applications using a web browser. HTTP servers contain programs called CGI scripts which perform functions on the server at the request of the client (when a form is submitted, for example) and transmit results to the client's browser in the form of an HTML page.

The Problems

webdist:
CVE 1999-0039
A security vulnerability has been reported in the webdist.cgi cgi-bin program available with IRIX 5.x and 6.x. webdist.cgi is part of the IRIX Mindshare Out Box software package, which allows users to install software over a network via a World Wide Web interface. webdist.cgi allows webdist(1) to be used via an HTML form interface defined in the file webdist.html, which is installed in the default document root directories for both the Netsite and Out Box servers. Due to insufficient checking of the arguments passed to webdist.cgi, it may be possible to execute arbitrary commands with the privileges of the httpd daemon. This is done via the webdist program. When installed, webdist.cgi is accessible by anyone who can connect to the httpd daemon. Because of this, the vulnerability may be exploited by remote users as well as local users. Even if a site's webserver is behind a firewall, it may still be vulnerable.

phf:
CVE 1999-0067
The phf cgi  program comes with the NCSA version 1.5 and Apache 1.03 web servers.  There may be other distributions that also have the phf cgi program in the cgi-bin directory.  The program relies on the escape_shell_cmd() function,  which can allow execution of system commands (ex: cat /etc/password).  Therefore, if a malicious user determines that the phf cgi is present on the system, they can execute commands which have the same privilege as the web server.

campas:
CVE 1999-0146
The campas cgi program is installed with older versions of the NCSA web server.  A malicious user may be able to execute commands with the same privilege of the web server running.

handler:
CVE 1999-0147
The handler cgi is part of the Outbox Environment subsystem on IRIX 5.x and 6.x systems.  The cgi can be manipulated to execute commands at the privilege level of the web server.
Check to see if the Outbox system is on the system:

   % /usr/sbin/versions outbox.sw

   I = Installed, R = Removed

      Name                 Date      Description

   I  outbox               03/23/97  Outbox Environment, 1.2
   I  outbox.sw            03/23/97  Outbox End-User Software, 1.2
   I  outbox.sw.outbox     03/23/97  Outbox Software Tools, 1.2
   I  outbox.sw.webdist    03/23/97  Web Software Distribution Tools, 1.2

htmlscript:
CVE 1999-0264
htmlscript  "is an HTML based web development language which provides the power of scripting via new, easy-to-use tag," according to BugTraq.  The htmlscript, from www.htmlscript.com, has a vulnerability which allows a malicious user to access files.  The vulnerability exists in 2.99x according to htmlscript.  Version 3.x/Miva 1.x does not contain the vulnerability.

php:
CVE 1999-0058
The php is a NCSA cgi enhancement.  The cgi has a vulnerability that lets unauthorized users view file on the system.  The cgi works by sending the path to the file as an argument to the cgi

http://hostname/cgi-bin/php.cgi?/look-at-this-file

The php.cgi will let the malicious user view any file that the web server has privilege to read.

count:
CVE 1999-0021
The count program is used to count the number of times a particular web page has been accessed. In the program there is "...insufficient bounds checking on arguments which are supplied by users.."  There is a possibility of overwrite the stack space and execute commands.  A malicious user can create a specific argument to the count.cgi and force it to execute commands with the permission of the web server privileges.

jj:
CVE 1999-0260
jj is a demo cgi program.  It does not check user input to the /bin/mail program.  Therefore, a malicious your can have themselves sent the any output they wish to view.  For example, if the web server is running as root, they may mail themselves the password file.

pfdispaly:
CVE 1999-0270
The pfdispaly (sic) cgi is part of the IRIS Performer API Search Tool which is a web based search tool that comes with the IRIX 6.2-6.4 operating system.  The vulnerability could allow access to files with the privileges of the user "nobody."

faxsurvey:
CVE 1999-0262
The faxsurvey could allow a malicious user to execute any command they want at the privilege level of the http server.  The cgi is part of the HylaFAX package that can with S.u.S.E. 5.1 & 5.2.  Older versions may also be vulnerable.

info2www:
CVE 1999-0266
The info2www cgi translates the Info Nodes that a user can view in Emacs, to HTML on the fly.  The script is written in perl and can allow a malicious user to execute system commands at the privilege level of the web server.  Not all of the versions of info2www are considered vulnerable.  The way to determine if you have a vulnerable script is to see if it at least has a version number and is greater than version 1.1.  If it does not have a version number, then it is most likely vulnerable and if it is version 1.1, it is also vulnerable.

textcounter:
textcounter is a perl script that displays a text based number which is the number of visitors to the web page.  The counter  needs to read, write, and create a file to store the number of visitors.  The vulnerability comes from a lack of a test for shell metacharacters.  A malicious user may be able to have perl execute commands at the web server privilege.  Check out BugTraq to see more information on the vulnerability.

aglimpse/glimpse:
CVE 1999-0148
Glimpse is a search and indexing tool.  aglimpse/glimpse is an interface to the Glimpse search tool.  The cgi is written in perl. The vulnerability can allow access to the password by mailing a malicious user the password file.

WebGais & websendmail:
CVE 1999-0176
CVE 1999-0196
WebGAIS is an interface to the Global Area Intelligent Search (GAIS) index/search tool.  The cgi can be tricked to execute system commands with the privilege of the web server.  The websendmail is a cgi that comes with the WebGAIS package.  websendmail can be tricked to send the password file to a malicious user because there is no check on what type of characters are sent to the perl cgi.  Therefore, a given a certain set of metacharacters, a malicious user may be able to have the cgi execute system commands with the privilege of the web server.

perl/perl.exe:
Perl is an interpreted scripting language.  To execute the perl script, the interpreter is used and the script is executed.  However, the interpreter should not be in the cgi-bin directory of the web server.  If there is a perl interpreter or a link to the interpreter, then a malicious user can do everything the normal perl interpreter can do from the command line.

Some very good rules to live by that have been found on the web:

  1. Never place any of your perl.exe files into your www-server directory
  2. Never call any perl script via this command line perl.exe?tscript.pl
  3. Never place perl anywhere on your system, reference it with the registry (for Windows Systems)
  4. Never associate any *.pl file with your perl executable, so that double clicking on any perl script will execute it immediately
  5. Never place any perl.exe into your cgi folders
www-sql:
The www-sql cgi is designed to access a mysql database through a http server and create a nice query result page.  Put simple, it generates HTML pages dynamically from the output of the SQL server, the database.  The problem that occurs is that www-sql overrides .htaccess restrictions.
.htaccess is a file that puts restrictions on directories for Apache and NCSA based web servers.  You can read more about the problem at BugTraq.

view_source:
CVE 1999-0174
The cgi comes on the SCO Skunkware cdroms.  The cgi is to display documents, however, it does not check the arguments correctly and therefore can show files with the privilege of the web server.

uploader.exe:
CVE 1999-0177
O'Reilley's web server Website contains a program called uploader.exe, some versions of which allow any remote user to upload arbitrary files anywhere on the server. This could be used to upload executable files into the cgi-bin directory and run them from the browser, thus allowing an attacker to execute arbitrary commands on the server.

args.cmd:
This script, found on Website web servers, echos parameters without checking them for illegal characters. Arbitrary code could be executed by passing it a parameter containing quote and newline characters.

win-c-sample.exe:
CVE 1999-0178
This script puts input parameters into a fixed-length string without checking the length of the string, causing a buffer overflow condition. This condition can be used to execute arbitrary code on the server.

product.asp, product.ast:
CVE 2000-0161
These scripts are sometimes found on Microsoft Site Server 3.0 (Commerce Edition) web servers. The first is part of the Volcano Coffee sample site. The second is created by the Site Builder wizard. These scripts accept user input which is put into an SQL query without any validity checking. A malicious user could supply input which includes arbitrary SQL commands to Read, Create, Modify, or Delete data.

htsearch:
CVE 2000-0208
This is part of the htdig package. A remote user can view any file on the system by passing the filename enclosed by backticks to htsearch as an input parameter. Versions of htdig prior to 3.1.4 and 3.2.0b1 are vulnerable.

infosrch.cgi:
CVE 2000-0207
This script, found on IRIX systems, allows man pages and other documentation to be viewed over the web. It does not validate the "fname" input parameter, which could allow an attacker to execute arbitrary commands using special shell characters.

ChangeAdminPassword:
This script comes with Cart32, an E-commerce Shopping Cart package. It allows the administrative password for the Shopping Cart application to be changed without any knowledge of the previous one. Once the password is set, it can be used to execute arbitrary commands using a specially crafted URL.

calendar_admin.pl:
CVE 2000-0432
Matt Kruse's calendar script prior to version 2.2, and including version 2.2 if downloaded before 5/17/2000, does not validate the input provided by the user, thus allowing a remote attacker to issue arbitrary commands with the privileges of the web server.

counterfiglet:
CVE 2000-0424
The web page access counter script version 4.0.7 by George Burgyan does not properly validate user input, allowing the remote execution of commands with the privileges of the web server. The counterfiglet script is one of a number of links to the counter script. All of the links are affected in a similar way.

Poll_It:
Poll It is a script for running online polls and displaying the results. By passing parameters which overwrite the initial settings in the script, it is possible to view any file on the system to which the http server has read access.

imagemap.exe:
CVE 1999-0951
This file found on OmniHTTPD web servers contains a buffer overflow condition which could allow a remote attacker to gain access to the server. OmniHTTPD 2.4Pro and Omnicron OmniHTTPD 1.1 are vulnerable.

Big Brother (bb-hostsvc.sh):
CVE 2000-0638
A vulnerability in Big Brother could allow a remote attacker to read any file on the server by exploiting the bb-hostsvc.sh script.

query:
CVE 2000-0039
The AltaVista Search Engine has a vulnerability which could allow a remote attacker to reconfigure the web server. The query program allows files in the directory above it to be viewed. An attacker could find encoded passwords in one of these files, decrypt them, and use them to log into the online configuration tool.

dbconnect.inc:
CVE 2000-0707
This file, included with the PCCS MySQL Database Admin Tool, reveals the plain text administrator password. The tool also allows any remote user to administer the database.

netauth.cgi:
CVE 2000-0782
Netauth is a web-based e-mail management system. It is possible to view arbitrary files on the system by supplying a specially crafted input parameter.

htgrep:
This script allows the user to specify header and footer files to be appended to the search output. By specifying an absolute pathname, an attacker could view any file which is readable by the web server process.

BBoardServlet:
SUN's Java Web Server comes with a number of example applications. One of these, the Bulletin Board application, allows a remote user to upload arbitrary JSP code to the server. It is then possible to cause the servlet which executes JSP code to execute the uploaded file by manually prepending servlet/ to its pathname. An attacker could execute arbitrary code in this manner.

YaBB.pl:
Yet another Bulletin Board (YaBB) is an Open Source bulletin board system. Due to a lack of variable checking, it can be exploited to view any file on the system.

vtopic:
This file is the search function used by the SCO UnixWare 7 scohelphttp web server. Due to a lack of variable checking, it can be exploited to view any world-readable file on the system, including /etc/passwd.

multihtml:
The MultiHTML script allows SSI calls to be placed in web pages to include the same HTML file in multiple pages. The script can be tricked into revealing arbitrary files by including a null character in the filename.

ssi:
The ssi script is part of thttpd. A lack of parameter checking in ssi, combined with the fact that thttpd translates hexadecimal codes after removing illegal "../" strings, could allow a remote attacker to view arbitrary files.

shopping_cart.mdb
This file is the database used by CyberOffice Shopping Cart. By default, any web user can download this file, thereby gaining access to customer information, including credit card information.

webplus:
CVE 2000-0282
This script is part of the Web+ e-commerce server by Talentsoft. It is the interface to the webpsvr daemon, which is the driving process for the software. A lack of parameter checking could allow a remote attacker to view arbitrary files on the system.

Resolution

webdist:
Vendor patches to protect against this vulnerability are available from Silicon Graphics Inc., and they should be applied as soon as possible. A workaround to this problem is to immediately remove the execute permissions on the webdist.cgi program to prevent its exploitation. If the Webdist software is not required, it should be removed from the system entirely. You may read more about this vulnerability in CERT Advisory 97.12.

phf:
It is recommend that you remove the cgi from the cgi-bin directory.  The program is not required to run the web server.

campas:
It is recommend that you remove the cgi from the cgi-bin directory.  The program is not required to run the web server.

handler:
There are patches available from SGI FTP site.
You may also remove the Outbox subsystem if there is no need for it being installed.

You may read more about the vulnerability in CERT Vendor Bulletin 97.07.

htmlscript:
Upgrade to the newest version which can be found at the htmlscript.com website.

php:
The author has the following solution, in the php.h file add the line:

#define PATTERN_RESTRICT ".*\\phtml$"

that will restrict the php.cgi to viewing files with phtml as the extension.  The current version can be found http://www.vex.net/php.  For more details, see here.

count:
It is recommended to upgrade to the latest version. An alternative to upgrading is to remove the execute permissions from the cgi, however, this will cause the counter on the web page not to work correctly.  The rest of the web page should continue to look the same.  For more details, see the CERT advisory. The version to at least upgrade to is 2.4.

jj:
Since the program is a demo, it is recommend that it be removed from the cgi-bin directory.

pfdispaly:
Change the permissions of the cgi:  /bin/chmod 500 /var/www/cgi-bin/pfdispaly.cgi
The permission should be -r-x------BugTraq has information about the pfdispaly vulnerability.

faxsurvey:
There have been a variety of attempts made to fix the code in faxsurvey.cgi.  However, the best thing to do is remove it from the cgi-bin directory if there is no need for the cgi.

info2www:
It is recommended that the script is updated to the latest, version 1.2. You can read about the vulnerability at BugTraq.

textcounter:
To fix the vulnerability add the line after line 91 (taken from BugTraq):

$count_page = "$ENV{'DOCUMENT_URI'}";         # the original 91 line ....
$count_page =~ s/([^a-z0-9])/sprintf("%%%02X",$1)/ge;   # ADD THIS !!!!!

aglimpse/glimpse:
GlimpseHTTP is no longer available for updating, however, there is a new Glimpse interface called
WebGlimpse. It is recommended that the system be updated with WebGlimpse.

webgais & websendmail:
The best thing to do is upgrade to the latest version of the WebGAIS package.  After getting the latest version, disable the websendmail cgi that is included in the package.

perl/perl.exe:
Remove the links and binaries of the perl interpreter from the cgi-bin directory.

www-sql:
It is recommended that the script is updated to the latest version.

view_source:
According to BugTraq it is best to remove the cgi.
 

Whether any machines on your network are susceptible to this vulnerability or not, you should consider taking this opportunity to examine your entire httpd configuration schemes. In particular, all CGI programs that are not required should be removed, and all those remaining should be examined for possible security vulnerabilities. It is also important to ensure that all child processes of httpd are running as a non privileged user. This is often a configurable option. See the documentation for your httpd distribution for more details.

uploader.exe:
Delete uploader.exe from the system. Use ftp to upload files.

args.cmd:
Delete args.cmd. It is provided as a sample program and is not needed on an operational web server.

win-c-sample.exe:
Delete win-c-sample.exe. It is provided as a sample program and is not needed on an operational web server.

product.asp, product.ast:
Install a patch. See the Microsoft Security Bulletin for patch information.

htaccess:
Upgrade to the latest version of htdig.

infosrch.cgi:
Remove or disable infosrch.cgi.

ChangeAdminPassword:
On Windows NT, change the permissions on c32web.exe so that it is only accessible by administrators. On Windows 95 or 98, remove c32web.exe. Alternatively, apply the patch developed by L0pht.

calendar_admin.pl:
Download the latest version from http://www.mattkruse.com/scripts/calendar, or make the following change to both calendar.pl and calendar_admin.pl:

After the line:

&ReadParse;
Insert the lines:
$in{config} =~ s|[^\s\w\.\/]||g;
$in{template} =~ s|[^\s\w\.\/]||g;

counterfiglet:
The counter script is no longer supported. Delete the counter script and all of the links to it. If the counter function is needed, install any of the newer scripts which do the same thing.

Poll It:
In the file cgi-bin/pollit/Poll_It_SSI_v2.0.cgi, move the line:

%in = &ReadForm;
above the local variable initializations, e.g. to line 66.

imagemap.exe:
Remove imagemap.exe from the cgi-bin directory.

Big Brother (bb-hostsvc.sh):
The vulnerability in bb-hostsvc.sh can be fixed by upgrading to version 1.4h2 or higher.

query:
Upgrade to the latest version of the AltaVista Search Engine.

dbconnect.inc:
Secure the pccsmysqladm directory through the web server.

netauth.cgi:
Download the latest version of Netauth.

htgrep:
Disable the script, or download a fixed version when it becomes available.

BBoardServlet:
Disable example applications and the invoker servlet as follows: In the administration applet under Setup, remove the File Alias:

/examples   $server_home/examples

and remove the Servlet Alias:

/servlet   invoker

for both the Web Service and the Secure Web Service. For further instructions on securing Java Web Server, see the document from SUN and CERT Advisory 2000-02.

YaBB.pl:
Install version 9.11.2000 or later, of add the following line after line 13 in yabb.pl:

if ($viewnum !~ /^[0-9]/) { &fatal_error("This field only accepts numbers from 0-9" ); }

vtopic:
Install a fix from SCO when it becomes available, or run the following commands to disable the scohelphttp server:

/usr/ns-home/httpd-scohelphttp/stop
/usr/ns-home/httpd-scohelphttp/disable

multihtml:
Install the latest version of MultiHTML.

ssi:
Upgrade to thttpd version 2.20 or higher.

shopping_cart.mdb:
Set the directory permissions to allow write but not read. This will enable users to update the database as required by the application, but not to download it.

webplus:
Upgrade to Web+ build 512 or later.

Where can I read more about this?

For those interested in reading more about general WWW security and secure CGI programming, visit the World Wide Web Security FAQ.