COMMAND
apache
SYSTEMS AFFECTED
Apache 1.3.9/12 on SuSE Linux 6.3 and 6.4
PROBLEM
Following is based on a @stake Security Advisory by mnemonix.
The SuSE distribution of Linux (6.3 and 6.4 - earlier
distributions may also be affected) uses Apache as the web server
of choice (currently 1.3.12 with SuSE 6.4) and is installed by
default. Due to certain settings within the Apache configuration
file it is possible for an attacker to gain access to the source
code of CGI scripts. Often these scripts contain sensitive
information such as user IDs and passwords for database access
and business logic. Further to this, gaining access to the code
can allow the attacker to examine the scripts for any weaknesses
that they could then exploit to gain unauthorized access to the
server.
Apache reads in its configuration information from a file called
httpd.conf found in the /etc/httpd/ directory (srm.conf and
access.conf have been rolled into httpd.conf). Due to an
erroneous setting in this file it is possible to gain access to
the source code of CGI scripts held in the virtual directory
/cgi-bin/. Under normal operation files in this directory are
executed on the server as opposed to being returned to the
client. The setting in httpd.conf that allows execution of CGI
scripts and sets the /cgi-bin as the script directory is:
ScriptAlias /cgi-bin/ "/usr/local/httpd/cgi-bin"
However, as well as this setting there is also another:
Alias /cgi-bin-sdb/ /usr/local/httpd/cgi-bin/
This line is the root of the problem. An alias, or virtual
directory called "/cgi-bin-sdb/" has been set up and maps to the
same physical location that the "/cgi-bin" has been mapped to.
SuSE should have set this up as a "ScriptAlias" rather than just
an "Alias". This alias exists to support searching through SuSE's
documentation from the web server but as it transpires the search
engine uses /cgi-bin, anyway - perhaps being the cause of the
oversight. An attacker would simply substitute /cgi-bin/ for
/cgi-bin-sdb/ to gain access to the source code.
SOLUTION
There are two ways to approach this. Using your favourite editor,
e.g. pico or vi, edit httpd.conf. The alias can be removed by
placing a # at the front of line - thus "remming" it out:
#Alias /cgi-bin-sdb/ /usr/local/httpd/cgi-bin/
As the search engine uses /cgi-bin this will not break any
functionality. The other way of resolving this issue would be to
change "Alias" to "ScriptAlias" so the line would read:
ScriptAlias /cgi-bin-sdb/ /usr/local/httpd/cgi-bin/
By doing this CGI scripts would now be executed. After making
these changes stop and restart the server.
Patches:
ftp://ftp.suse.com/pub/suse/i386/update/7.0/n1/apache-1.3.12-107.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/7.0/zq1/apache-1.3.12-107.nosrc.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.4/n1/apache-1.3.12-107.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.4/zq1/apache-1.3.12-107.nosrc.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.3/n1/apache-1.3.9-70.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.3/zq1/apache-1.3.9-70.nosrc.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.2/n1/apache-1.3.6-52.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.2/zq1/apache-1.3.6-52.nosrc.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.1/n1/apache-1.3.6-53.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.1/zq1/apache-1.3.6-53.nosrc.rpm
Please use the update packages from the 6.1 directory for SuSE-6.0!
ftp://ftp.suse.com/pub/suse/sparc/update/7.0/n1/apache-1.3.12-109.sparc.rpm
ftp://ftp.suse.com/pub/suse/sparc/update/7.0/zq1/apache-1.3.12-109.nosrc.rpm
ftp://ftp.suse.com/pub/suse/axp/update/6.4/n1/ .
ftp://ftp.suse.com/pub/suse/axp/update/6.3/n1/ .
ftp://ftp.suse.com/pub/suse/axp/update/6.1/n1/apache-1.3.6-43.alpha.rpm
ftp://ftp.suse.com/pub/suse/axp/update/6.1/zq1/apache-1.3.6-43.nosrc.rpm
ftp://ftp.suse.com/pub/suse/ppc/update/6.4/n1/apache-1.3.12-108.ppc.rpm
ftp://ftp.suse.com/pub/suse/ppc/update/6.4/zq1/apache-1.3.12-108.nosrc.rpm
ftp://ftp.suse.com/pub/suse/ppc/update/6.3/n1/ .