COMMAND

    httpd (nph-test-cgi)

SYSTEMS AFFECTED

    Majority of UNIX based Internet  World Wide Web servers come  with
    this CGI  script installed  by default.   They are  NCSA HTTP 1.3,
    1.4,  1.4.1,  1.4.2,  1.5.1,  1.5.2,  1,5.2a  Apache  HTTP 0.8.11,
    0.8.14, 1.0.0, 1.0.2, 1.0.3, 1.0.5, 1.1.0

PROBLEM

    A  security  hole  exists  in  the nph-test-cgi script included in
    most UNIX based  World Wide Web  daemon distributions.   The nph-*
    scripts exist  to allow  'non-parsed headers'  to be  sent via the
    HTTP protocol  (this is  not the  cause of  this security problem,
    though).   The  problem  is  that  nph-test-cgi,  which prints out
    information on the current  web environment (just like  'test-cgi'
    does) does not enclose its arguments to the 'echo' command  inside
    of quotes....shell escapes  are not possible  (or at least  I have
    not found  them to  be--yet) but  shell *expansion*  is....   This
    means that  _any_ remote  user can  easily browse  your filesystem
    via the WWW.

    Please note that the latest versions 1.1.1 and 1.2b2 or higher  do
    *not* include the  script as part  of the distribution  but if you
    upgrade from  an earlier  version (or  NCSA HTTP)  then the script
    _may_  still  be  installed  on   your  server  from  a   previous
    distribution.

    Exploit is very simple.

        Enter the URL: <http://yourwebserver.com/cgi-bin/nph-test-cgi?*>

    Replace <yourwebserver.com> with the hostname of a server running
    a web daemon near you.

    With minor  variants, both  scripts are  a problem  in a couple of
    areas.  Crank each  of these plus a  couple of newlines into  your
    server and see what you get:

        GET /cgi-bin/test-cgi?* HTTP/1.0
        GET /cgi-bin/test-cgi?x *
        GET /cgi-bin/nph-test-cgi?* HTTP/1.0
        GET /cgi-bin/nph-test-cgi?x *

    not to mention

        GET /cgi-bin/phf?Q=x%0apwd
        GET /cgi-bin/phf?Q=x%ffpwd

    then NUKE  everything in  that cgi-bin  dir and  replace what  you
    need  with   well-written  standalone   PROGRAMS  that   start  by
    mistrusting their environment.

    You can also try this:

        GET /cgi-bin/test-cgi?x HTTP/1.0 *
        GET /cgi-bin/nph-test-cgi?x HTTP/1.0 *

SOLUTION

    Type 'chmod  700 nph-test-cgi'  at your  nearest shell  prompt (as
    superuser).

    If it is  neccessary to have  the script accessible then a a quick
    fix is to put quotes around all parameters to 'echo':

        echo QUERY_STRING = $QUERY_STRING

    This would become

        echo QUERY_STRING = "$QUERY_STRING"

    This bug  brought to  You by  Josh Richards <jrichard@FIX.Net>.
    Some vendors  provided informations  for CERT  asvisory (dated  18
    February, 1997) so here is what they say:

        Apache
        ======
        The  latest  version  of  Apache,  1.1.3, does not contain the
        nph-test-cgi  cgi-script.  The  test-cgi  script included with
        Apache 1.1.3 does contain the filename globbing bug, but  does
        not ship enabled by default.

        Apache-SSL
        ==========
        The current  version of  Apache-SSL is  against 1.1.1,  and so
        does  not  suffer  from  this  problem.  Also,  Apache-SSL  is
        distributed as patches to Apache, and so does not, in  itself,
        contain any CGI scripts.

        Stronghold
        ==========
        Stronghold 1.3.4 ships with no pre-installed CGI scripts.

        Microsoft
        =========
        With regard to NT/IIS we don't ship the script referenced.
        Also see recommendations at:
             http://www.microsoft.com/intdev
             http://www.microsoft.com/pdc


        National Center for Supercomputing Applications (NCSA)
        ======================================================
        The NCSA(tm) HTTPd comes with  a variety of test cgi  scripts,
        including   nph-test-cgi.    Also   included   are   test-cgi,
        test-cgi.tcl, and  test-env.   These test  scripts are readily
        identified by the word "test" in their names.  They have  been
        provided at the  request of our  web server community  to test
        the server installation and facilitate the development of  cgi
        scripts.   When   working  perfectly   they  provide   private
        information about the server and cgi environment.

        Test  cgi  programs  are  not  intended  to  be  left  on   an
        operational  server.   If  using  the  NCSA  HTTPd  server for
        operational use, many configuration issues must be  addressed.
        Among  those  issues  is  the  use  of cgi scripts.  No script
        should  be  run  on  a  server  that  has  not  been carefully
        reviewed.   This  is  especially  true  for  the test scripts,
        which were never intended to be left on an operational server.

        Users of NCSA HTTPd should be running the most current version
        (1.5.2a) to ensure that security patches are implemented. Test
        cgi scripts should be removed from cgi-bin directories  before
        putting a server in operational use.

        Please  see  http://hoohoo.ncsa.uiuc.edu/security  for further
        details on securely installing the NCSA HTTPd server.

        To  report  security  vulnerabilities  in NCSA products, email
        the    NCSA    Incident    Response    and    Security    Team
        (irst@ncsa.uiuc.edu).

        NCSA is  a trademark  of the  University of  Illinois Board of
        Trustees.