[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : SuSE Apache CGI Source Code Viewing

Title: SuSE Apache CGI Source Code Viewing
Released by: @stake
Date: 7th September 2000
Printable version: Click here

Hash: SHA1

                        @stake, Inc.



                     Security Advisory

 Release Date: 09/07/2000

  Application: Apache 1.3.9/12

     Platform: SuSE Linux 6.3 and 6.4

     Severity: An attacker can gain access to source code of

               CGI scripts. As such they may be able to discover

               user IDs and passwords, analyze business logic

               and examine scripts for weaknesses.

       Author: mnemonix (dlitchfield@atstake.com)

Vendor Status: Vendor has updated distribution configuration files

          Web: www.atstake.com/research/advisories/2000/a090700-2.txt


The SuSE distribution of Linux (6.3 and 6.4 - earlier

distributions may also be affected) uses Apache as the web server of

choice (currently 1.3.12 with SuSE 6.4) and is installed by default. Due

to certain settings within the Apache configuration file it is possible

for an attacker to gain access to the source code of CGI scripts. Often

these scripts contain sensitive information such as user IDs and passwords

for database access and business logic. Further to this, gaining access to

the code can allow the attacker to examine the scripts for any weaknesses

that they could then exploit to gain unauthorized access to the server.

Detailed Description:

Apache reads in its configuration information from a file called

httpd.conf found in the /etc/httpd/ directory (srm.conf and access.conf

have been rolled into httpd.conf). Due to an erroneous setting in this

file it is possible to gain access to the source code of CGI scripts held

in the virtual directory /cgi-bin/. Under normal operation files in this

directory are executed on the server as opposed to being returned to the

client. The setting in httpd.conf that allows execution of CGI scripts and

sets the /cgi-bin as the script directory is:

ScriptAlias /cgi-bin/ "/usr/local/httpd/cgi-bin"

However, as well as this setting there is also another:

Alias /cgi-bin-sdb/ /usr/local/httpd/cgi-bin/

This line is the root of the problem. An alias, or virtual directory

called "/cgi-bin-sdb/" has been set up and maps to the same physical

location that the "/cgi-bin" has been mapped to. SuSE should have set this

up as a "ScriptAlias"  rather than just an "Alias". This alias exists to

support searching through SuSE's documentation from the web server but as

it transpires the search engine uses /cgi-bin, anyway - perhaps being the

cause of the oversight. An attacker would simply substitute /cgi-bin/ for

/cgi-bin-sdb/ to gain access to the source code.


There are two ways to approach this. Using your favourite editor,

e.g. pico or vi, edit httpd.conf. The alias can be removed by placing a #

at the front of line - thus "remming" it out:

#Alias /cgi-bin-sdb/ /usr/local/httpd/cgi-bin/

As the search engine uses /cgi-bin this will not break any functionality.

The other way of resolving this issue would be to change "Alias" to

"ScriptAlias" so the line would read:

ScriptAlias /cgi-bin-sdb/ /usr/local/httpd/cgi-bin/

By doing this CGI scripts would now be executed. After making these

changes stop and restart the server.

Vendor Response:

SuSE has updated the Apache distribution package. More information can

be found at http://www.suse.de/de/support/security/

For more advisories: http://www.atstake.com/research/index.html

PGP Key: http://www.atstake.com/research/pgp_key.asc

Copyright 2000 @stake, Inc. All rights reserved.


Version: PGP 6.5.8





(C) 1999-2000 All rights reserved.