COMMAND

    httpd

SYSTEMS AFFECTED

    Some web servers like Apache and IIS

PROBLEM

    mnemonix found following.  There  is a "feature" inherent in  some
    web servers,  such as  Apache 1.3.x  or MS  IIS, that carries mild
    security implications that  could allow web  server attacks to  go
    unnoticed.   The  problem  relates  to "allowable" REQUEST_METHODs
    when  a  dynamic  resource,  such   as  a CGI script is requested.
    Essentially   _any_   (except   for   HEAD,   TRACE  and  OPTIONS)
    REQUEST_METHOD can be used - even methods not defined in the  HTTP
    protocol.  Consider  the following requests  which all return  the
    requested resource.

        GET /cgi-bin/environ.cgi HTTP/0.9

        Azx5T8uHTRuDL /cgi-bin/environ.cgi HTTP/1.0

    Even Control characters are allowed. Consider the following:

        ^H^H^H^H^H^H^H^H^H lots of these ^H^H /cgi-bin/environ.cgi HTTP/1.1

    An attacker could issue this  request in an attempt to  hide their
    movements.   When this  request is  logged in  the access  log and
    viewed using cat or more the above will appear with the IP address
    removed.

        # cat /var/log/httpd/access_log

    or

        # more /var/log/httpd/access_log

    reveals

        10.20.20.1 - - [05/Jan/1999:18:00:00 GMT] "GET / HTTP/1.0" 200 1098
        /cgi-bin/environ.cgi HTTP/1.1" 200 2034
        10.20.20.2 -- [05/Jan/1999:18:01:00 GMT] "GET /index.html HTTP/0.9" 200 1098

    Using a method similar to this  it is possible for an attacker  to
    make it appear as  if the attack came  from another IP address  or
    completely  remove  the  whole  entry  by  placing certain control
    characters in the QUERY_STRING,  too. This "hiding" works  because
    the control characters  are interpreted when  piped to STDOUT  and
    the ^H being the back space removes, from the screen at least, the
    IP address and date  and time stamp. You  could use the vi  editor
    the view the "real" contents of the access log.

    This was tested on Apache 1.3.3 on RedHat 5.2 and Apache 1.2.7  on
    RedHat  5.0.  Also  affected  is  Microsoft's Internet Information
    Server 2,  3 and  4 but  in the  NT environment  this is less of a
    problem because the log files  are generally viewd in Notepad  and
    not using the "type" command, which incidently will interpret  the
    control characters.

    There is, however, a more important issue according to Marc Slemko
    that this same feature of allowing arbitrary methods to be  passed
    to CGIs can result  in.  Many people,  for some reason, insist  on
    using the  "Limit" directive  whenever they  configure any  access
    restrictions.  For example, they may do:

        <Limit GET POST>
        order deny,allow
        deny from all
        allow from 10.0.0
        </Limit>

    to  deny  all  access  to  hosts  outside of 10.0.0.0/24.  That is
    incorrect.  In normal situations,  it doesn't always lead to  much
    of a security  risk.  With  many CGIs, it  does.  That  is because
    many CGIs do not properly  check what method they are  called with
    and refuse  requests if  they don't  understand the  method.  That
    means it is impossible[0] to list every method that could be  used
    to call a script, since Apache allows for arbitrary methods to  be
    used.

    According to Eric Monti, at least one exploitable application  for
    throwing arbitrary characters into an HTTP request method is  good
    old "test-cgi".  The suggested (and typical) fix for the  original
    bug  in  this  script  was  to  put the "QUERY_STRING" variable in
    test-cgi in  quotes to  prevent its  use for  listing files.  With
    mnemonix's finding regarding the REQUEST METHOD's "feature",  many
    users   are   re-exposed   to   the   test-cgi   problem,  as  the
    "REQUEST_METHOD" variable remains un-quoted in the following shell
    command:

        echo REQUEST_METHOD = $REQUEST_METHOD

    Instead of using "*" or a pathname followed by "*" as an  argument
    to test-cgi as in:

        GET /cgi-bin/test-cgi?* HTTP/1.0

    An attacker could use something like the following:

        * /cgi-bin/test-cgi HTTP/1.0

    to see contents of /cgi-bin directory of web-root, or

        /* /cgi-bin/test-cgi HTTP/1.0

    to see  contents of  the system's  root /  or whatever absolute or
    relative path from  the webserver's cgi-bin.   This was tested  on
    version 1.3b6 of Apache.

SOLUTION

    As said before, it's only  a mild problem most likely,  really, to
    effect those  that don't  use a  text editor  to browse log files.
    As for M. Slemko addition, the answer, of course, is quite simple:
    don't  use  a  limit  directive  unless  you  only  want  to limit
    particular methods.   If you  want to  limit all  methods,  simply
    leave it out.  If you ever see any Limit directive used  anywhere,
    take a  second look  because the  vast majority  of them  are used
    incorrectly.   This  certainly  isn't  a  new issue, and certainly
    isn't anything that  hasn't been said  over and over,  and isn't a
    bug in  Apache but  a bug  in a  user's configuration,  but people
    still  seem  to  have  trouble  getting  the message.  At the end,
    regarding cgi-test, the fix is to surround all of the variables in
    test-cgi  (and  any   other  variations  of   test-cgi,  such   as
    nph-test-cgi, that may be present) in quotes.