BugTraq
CGI Script Source Code Disclosure Vulnerability in Apache for Windows Aug 09 2006 10:15AM
susam pal gmail com (1 replies)
Re: CGI Script Source Code Disclosure Vulnerability in Apache for Windows Aug 16 2006 09:15AM
Joe Orton (jorton redhat com)
On Wed, Aug 09, 2006 at 10:15:42AM -0000, susam.pal (at) gmail (dot) com [email concealed] wrote:
> ADVISORY NAME:
> CGI Script Source Code Disclosure Vulnerability in Apache for Windows
...
> But a similar configuration isn't safe in Windows. For instance:-
>
> # Sample Unsafe Configuration for Windows
> DocumentRoot "C:/Documents and Settings/webmaster/site/docroot"
> ScriptAlias /cgi-bin/ "C:/Documents and Settings/webmaster/site/docroot/cgi-bin/"
>
> If the scripts' directory (represented by 'ScriptAlias') lies inside
> the document-root directory (represented by 'DocumentRoot') and the
> name of the script-alias is same as that of the directory containing
> the scripts then the attacker can obtain the source code of the CGI
> scripts by making a direct request to 'http://[target]/CGI-BIN/foo'.

This is not a security vulnerability in the server, but rather a serious
misconfiguration of the ScriptAlias Directive. ScriptAlias exists to
allow CGI scripts to be stored in a directory outside of the document
tree. Common convention is never to include cgi-bin within the document
tree.

Regards,
Joe Orton

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus