Vulnerability in the httpd nph-test-cgi script
Last revised: September 26, 1997
Updated copyright statement
A complete revision history is at the end of this file.
Because of ongoing activity relating to a vulnerability in the nph-test-cgi script included with some http daemons, the CERT Coordination Center staff is issuing this recommendation to check your cgi-bin directory. By exploiting this vulnerability, users of Web clients can read a listing of files they are not authorized to see.
The CERT/CC team recommends removing the script from your system and checking Appendix A of this advisory for information provided by vendors.
We also urge you to read CERT advisory CA-96.06.cgi_example_code for another CGI-related vulnerability that continues to be exploited.
We will update this advisory as we receive additional information. Please check advisory files regularly for updates that relate to your site.
I. DescriptionA vulnerability in the nph-test-cgi script included with some http daemons makes it possible for the users of Web clients to read a listing of files they are not authorized to read. This script is designed to display information about the Web server environment, but it parses data requests too liberally and thus allows a person to view a listing of arbitrary files on the Web server host.
II. ImpactBy exploiting this vulnerability, remote users can read a listing of files they are not authorized to read. Access to an account on the system is not necessary.
III. SolutionWe recommend removing or disabling the nph-test-cgi script (see Sec. A). If you must keep the script, follow the suggestion in Sec. B. All readers should also check Appendix A for information supplied by vendors.
A. Remove or disable the scriptSome World Wide Web servers include this script by default, but it is possible that some sites have installed this script manually. Therefore, we encourage all sites to check whether they have this script by searching for the file nph-test-cgi in the cgi-bin directory associated with their web server.
If you find the script, we urge you to either remove the program itself or remove the execute permissions from the program. The nph-test-cgi program is not required to run httpd successfully.
Also note that a web server may have multiple cgi-bin directories. It is not sufficient to look in the regular location only. For example, in the NCSA HTTPd server, you can specify alternate locations for the scripts by setting the ScriptAlias directive in the srm.conf file. See your vendor's documentation to learn if your sever provides this feature. If you are using this feature, you need to remove the nph-test-cgi script or apply the workaround below in every cgi-bin directory.
B. Modify existing scriptsIf you must continue to use this test-cgi script, then we encourage you to search for lines of code that echo variables and ensure that the variable string to be echoed is quoted. For instance, lines of the form:
echo QUERY_STRING = $QUERY_STRING
echo QUERY_STRING = "$QUERY_STRING"
C. Vendor InformationPlease check Appendix A for information supplied by vendors; we will update the appendix as we receive additional information. If you do not see your vendor's name, then we did not hear from that vendor. Please contact the vendor directly.
Note: Even if your vendor did not ship the nph-test-cgi script, you should check your cgi-bin directory in case someone at your site added such a script later.
IV. Additional ReadingSeveral resources relating to Web security in general are available. The following resources provide a useful starting point. They include links describing general WWW security, secure httpd setup, and secure CGI programming.
The World Wide Web Security FAQ:
NSCA's "Security Concerns on the Web" Page:
The following book contains useful information, including sections on secure programming techniques.
Practical Unix & Internet Security, Simson Garfinkel and Gene Spafford, 2nd edition, O'Reilly and Associates, 1996.
(Note that we provide these pointers for your convenience. As this is not CERT/CC material, we cannot be responsible for content or availability. Please contact the administrators of the sites if you have difficulties with access.)
Appendix A - Vendor InformationBelow is a list of the vendors who have provided information for this advisory. We will update this appendix as we receive additional information. If you do not see your vendor's name, the CERT/CC did not hear from that vendor. Please contact the vendor directly.
ApacheThe latest version of Apache, 1.1.3, does not contain the nph-test-cgi cgi-script. The test-cgi script included with Apache 1.1.3 does contain the filename globbing bug, but does not ship enabled by default.
Apache-SSLThe current version of Apache-SSL is against 1.1.1, and so does not suffer from this problem. Also, Apache-SSL is distributed as patches to Apache, and so does not, in itself, contain any CGI scripts.
StrongholdStronghold 1.3.4 ships with no pre-installed CGI scripts.
MicrosoftWith regard to NT/IIS we don't ship the script referenced.
Also see recommendations at
http://www.microsoft.com/intdev and http://www.microsoft.com/pdc
National Center for Supercomputing ApplicationsThe NCSAtm HTTPd comes with a variety of test cgi scripts, including nph-test-cgi. Also included are test-cgi, test-cgi.tcl, and test-env. These test scripts are readily identified by the word "test" in their names. They have been provided at the request of our web server community to test the server installation and facilitate the development of cgi scripts. When working perfectly they provide private information about the server and cgi environment.
Test cgi programs are not intended to be left on an operational server. If using the NCSA HTTPd server for operational use, many configuration issues must be addressed. Among those issues is the use of cgi scripts. No script should be run on a server that has not been carefully reviewed. This is especially true for the test scripts, which were never intended to be left on an operational server.
Users of NCSA HTTPd should be running the most current version (1.5.2a) to ensure that security patches are implemented. Test cgi scripts should be removed from cgi-bin directories before putting a server in operational use.
Please see http://hoohoo.ncsa.uiuc.edu/security for further details on securely installing the NCSA HTTPd server.
To report security vulnerabilities in NCSA products, email the NCSA Incident Response and Security Team (firstname.lastname@example.org).
NCSA is a trademark of the University of Illinois Board of Trustees.
The CERT Coordination Center thanks David Kennedy of the National Computer Security Association, Ken Rowe of the NCSA(tm) IRST, and Josh Richards for providing information about this problem.
Copyright 1997 Carnegie Mellon University.
September 26, 1997 Updated copyright statement February 21, 1997 Acknowledgements - corrected organization names.