|
Brought to you by:
Suppliers of:
|
|
|
| |
| Apache HTTPD is "a web server that can run on many platforms to provide web-service". A vulnerability in Apache running on Windows allows remote attackers to disclose the content of files located on the remote machine. |
| |
Credit:
The information has been provided by Susam Pal.
The original article can be found at: http://susampal.blogspot.com/
|
| |
Vulnerable Systems:
* Apache 2.2.2 running on Microsoft Windows XP, Version 2002, Service Pack 2
Background:
The basic server configuration is controlled by the file 'httpd.conf'. The 'DocumentRoot' directive controls which directory is considered to be root for serving documents. For instance:
DocumentRoot "/home/webmaster/site/docroot/"
In the above example, a request to 'http://[target]/foo.html' would fetch the 'foo.html' page from '/home/webmaster/site/docroot/' directory of the server.
The 'ScriptAlias' directive controls which directory contains server scripts. The following is an example of a typical 'ScriptAlias' directive:
ScriptAlias /cgi-bin/ "/home/webmaster/site/docroot/cgi-bin"
If a user makes a direct request to 'http://[target]/cgi-bin/foo' where 'cgi-bin' is the scripts' directory and 'foo' is the script, the user gets the output of the 'foo' script. In a secure system, the user is not supposed to view the source-code of 'foo' by making an HTTP GET request.
Vulnerability description:
Usually the following directives in 'httpd.conf' file can be considered safe for Unix/Linux (assuming that other directives haven't been insanely edited):
# Sample Safe Configuration for Unix/Linux
DocumentRoot "/home/webmaster/site/docroot/"
ScriptAlias /cgi-bin/ "/home/webmaster/site/docroot/cgi-bin"
But a similar configuration isn't safe in Windows. For instance:
# Sample Unsafe Configuration for Windows
DocumentRoot "C:/Documents and Settings/webmaster/site/docroot"
ScriptAlias /cgi-bin/ "C:/Documents and Settings/webmaster/site/docroot/cgi-bin/"
If the scripts' directory (represented by 'ScriptAlias') lies inside the document-root directory (represented by 'DocumentRoot') and the name of the script-alias is same as that of the directory containing the scripts then the attacker can obtain the source code of the CGI scripts by making a direct request to 'http://[target]/CGI-BIN/foo'.
Apache web-server checks for the exact case mentioned in the 'ScriptAlias' directive before deciding whether the directory mentioned in the HTTP GET request is a scripts' directory or not. So, when Apache web-server receives a request for a file in 'CGI-BIN' directory, it finds it to be different from 'cgi-bin' mentioned in the 'ScriptAlias' directive. So, it concludes that it is not a script-alias. Then it checks for 'CGI-BIN' directory in the document-root directory and finds it since file-names and directory-names are not case-sensitive on Windows. So, it simply sends the content of the 'foo' file as the HTTP response. It doesn't execute the 'foo' script because it isn't found in a directory pointed by script-alias.
Exploit:
The vulnerability can be exploited by making a direct request to http://[target]/CGI-BIN/foo
Prevention:
1. Choosing a name for the 'ScriptAlias' different from the name of the actual directory will reduce the risk. For instance,
# Sample Configuration for Reducing Risk
DocumentRoot "C:/Documents and Settings/webmaster/site/docroot"
ScriptAlias /cgi-bin/ "C:/Documents and Settings/webmaster/site/docroot/sdy1x9y/"
The attacker can still get the source code by making a direct request to 'http://[target]/sdy1x9y/foo' if the attacker can somehow determine that the 'ScriptAlias /cgi-bin/' refers to the 'sdy1x9y' directory.
2. A more secure preventive measure would be to place the scripts folder outside the 'DocumentRoot' directory and then form a 'ScriptAlias' to it. For instance,
# Sample Configuration for Increased Security
DocumentRoot "C:/Documents and Settings/webmaster/site/docroot"
ScriptAlias /cgi-bin/ "C:/Documents and Settings/webmaster/site/cgi-bin"
|
|
|
|
|
