[ SOURCE: http://www.secureroot.com/security/advisories/9684965790.html ] -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 @stake, Inc. www.atstake.com www.cerberus-infosec.co.uk Security Advisory Release Date: 09/07/2000 Application: Apache 1.3.9/12 Platform: SuSE Linux 6.3 and 6.4 Severity: An attacker can gain access to source code of CGI scripts. As such they may be able to discover user IDs and passwords, analyze business logic and examine scripts for weaknesses. Author: mnemonix (dlitchfield@atstake.com) Vendor Status: Vendor has updated distribution configuration files Web: www.atstake.com/research/advisories/2000/a090700-2.txt Overview: The SuSE distribution of Linux (6.3 and 6.4 - earlier distributions may also be affected) uses Apache as the web server of choice (currently 1.3.12 with SuSE 6.4) and is installed by default. Due to certain settings within the Apache configuration file it is possible for an attacker to gain access to the source code of CGI scripts. Often these scripts contain sensitive information such as user IDs and passwords for database access and business logic. Further to this, gaining access to the code can allow the attacker to examine the scripts for any weaknesses that they could then exploit to gain unauthorized access to the server. Detailed Description: Apache reads in its configuration information from a file called httpd.conf found in the /etc/httpd/ directory (srm.conf and access.conf have been rolled into httpd.conf). Due to an erroneous setting in this file it is possible to gain access to the source code of CGI scripts held in the virtual directory /cgi-bin/. Under normal operation files in this directory are executed on the server as opposed to being returned to the client. The setting in httpd.conf that allows execution of CGI scripts and sets the /cgi-bin as the script directory is: ScriptAlias /cgi-bin/ "/usr/local/httpd/cgi-bin" However, as well as this setting there is also another: Alias /cgi-bin-sdb/ /usr/local/httpd/cgi-bin/ This line is the root of the problem. An alias, or virtual directory called "/cgi-bin-sdb/" has been set up and maps to the same physical location that the "/cgi-bin" has been mapped to. SuSE should have set this up as a "ScriptAlias" rather than just an "Alias". This alias exists to support searching through SuSE's documentation from the web server but as it transpires the search engine uses /cgi-bin, anyway - perhaps being the cause of the oversight. An attacker would simply substitute /cgi-bin/ for /cgi-bin-sdb/ to gain access to the source code. Solution: There are two ways to approach this. Using your favourite editor, e.g. pico or vi, edit httpd.conf. The alias can be removed by placing a # at the front of line - thus "remming" it out: #Alias /cgi-bin-sdb/ /usr/local/httpd/cgi-bin/ As the search engine uses /cgi-bin this will not break any functionality. The other way of resolving this issue would be to change "Alias" to "ScriptAlias" so the line would read: ScriptAlias /cgi-bin-sdb/ /usr/local/httpd/cgi-bin/ By doing this CGI scripts would now be executed. After making these changes stop and restart the server. Vendor Response: SuSE has updated the Apache distribution package. More information can be found at http://www.suse.de/de/support/security/ For more advisories: http://www.atstake.com/research/index.html PGP Key: http://www.atstake.com/research/pgp_key.asc Copyright 2000 @stake, Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQA/AwUBObe21lESXwDtLdMhEQJajwCg8kYY9NZH7zKaXRYRtTp0kVAcY5kAn3Cs cRQt/QyJI1Ol8KtGkeYg60vM =3+wu -----END PGP SIGNATURE-----