phf:
CVE 1999-0067
The phf cgi program comes with the
NCSA version 1.5 and Apache
1.03 web servers. There may be other distributions that also have
the phf cgi program in the cgi-bin directory. The program relies
on the escape_shell_cmd() function, which can allow execution of
system commands (ex: cat /etc/password). Therefore, if a malicious
user determines that the phf cgi is present
on the system, they can execute commands which have the same privilege
as the web server.
campas:
CVE 1999-0146
The campas cgi program is installed with
older versions of the NCSA web server.
A malicious user may be able to execute commands with the same privilege
of the web server running.
handler:
CVE 1999-0147
The handler cgi is part of the Outbox Environment
subsystem on IRIX
5.x and 6.x systems. The cgi can be manipulated to execute commands
at the privilege level of the web server.
Check to see if the Outbox system is on the system:
% /usr/sbin/versions outbox.sw
I = Installed, R = Removed
Name Date Description
I outbox
03/23/97 Outbox Environment, 1.2
I outbox.sw
03/23/97 Outbox End-User Software, 1.2
I outbox.sw.outbox
03/23/97 Outbox Software Tools, 1.2
I outbox.sw.webdist 03/23/97
Web Software Distribution Tools, 1.2
htmlscript:
CVE 1999-0264
htmlscript "is an HTML
based web development language which provides the power of scripting via
new, easy-to-use tag," according to BugTraq.
The htmlscript, from www.htmlscript.com,
has a vulnerability which allows a malicious user to access files.
The vulnerability exists in 2.99x according to htmlscript. Version
3.x/Miva 1.x does not contain the vulnerability.
php:
CVE 1999-0058
The php is a NCSA
cgi enhancement. The cgi has a vulnerability that lets unauthorized
users view file on the system. The cgi works by sending the path
to the file as an argument to the cgi
http://hostname/cgi-bin/php.cgi?/look-at-this-file
The php.cgi will let the malicious user view any file that the web server has privilege to read.
count:
CVE 1999-0021
The count program is used to count the
number of times a particular web page has been accessed. In the program
there is "...insufficient bounds checking on arguments which are supplied
by users.." There is a possibility of overwrite the stack space and
execute commands. A malicious user can create a specific argument
to the count.cgi and force it to execute commands
with the permission of the web server privileges.
jj:
CVE 1999-0260
jj is a demo cgi program. It does
not check user input to the /bin/mail program. Therefore, a malicious
your can have themselves sent the any output they wish to view. For
example, if the web server is running as root, they may mail themselves
the password file.
pfdispaly:
The pfdispaly (sic) cgi is part of the IRIS
Performer API Search Tool which is a web based search tool that comes
with the IRIX
6.2-6.4 operating system. The vulnerability could allow access to
files with the privileges of the user "nobody."
faxsurvey:
CVE 1999-0262
The faxsurvey could allow a malicious user
to execute any command they want at the privilege level of the http server.
The cgi is part of the HylaFAX package that can with S.u.S.E.
5.1 & 5.2. Older versions may also be vulnerable.
info2www:
CVE 1999-0266
The info2www
cgi translates the Info Nodes that a user can view in Emacs, to HTML
on the fly. The script is written in perl
and can allow a malicious user to execute system commands at the privilege
level of the web server. Not all of the versions of info2www are
considered vulnerable. The way to determine if you have a vulnerable
script is to see if it at least has a version number and is greater than
version 1.1. If it does not have a version number, then it is most
likely vulnerable and if it is version 1.1, it is also vulnerable.
textcounter:
textcounter
is a perl script that displays a text
based number which is the number of visitors to the web page. The
counter needs to read, write, and create a file to store the number
of visitors. The vulnerability comes from a lack of a test for shell
metacharacters. A malicious user may be able to have perl
execute commands at the web server privilege. Check out BugTraq
to see more information on the vulnerability.
aglimpse/glimpse:
CVE 1999-0148
Glimpse is a search and
indexing tool. aglimpse/glimpse is an
interface to the Glimpse search
tool. The cgi is written in perl.
The vulnerability can allow access to the password by mailing a malicious
user the password file.
WebGais & websendmail:
CVE 1999-0176
CVE 1999-0196
WebGAIS is an interface to the Global
Area Intelligent Search (GAIS) index/search tool. The cgi can
be tricked to execute system commands with the privilege of the web server.
The websendmail is a cgi that comes with the WebGAIS
package. websendmail can be tricked to
send the password file to a malicious user because there is no check on
what type of characters are sent to the perl
cgi. Therefore, a given a certain set of metacharacters, a malicious
user may be able to have the cgi execute system commands with the privilege
of the web server.
perl/perl.exe:
Perl is an interpreted scripting
language. To execute the perl script, the interpreter is used and
the script is executed. However, the interpreter should not be in
the cgi-bin directory of the web server. If there is a perl interpreter
or a link to the interpreter, then a malicious user can do everything the
normal perl interpreter can do from the command
line.
Some very good rules to live by that have been found on the web:
view_source:
CVE 1999-0174
The cgi comes on the SCO Skunkware cdroms.
The cgi is to display documents, however, it does not check the arguments
correctly and therefore can show files with the privilege of the web server.
uploader.exe:
CVE 1999-0177
O'Reilley's web server Website contains a program called
uploader.exe, some versions of which allow any remote
user to upload arbitrary files anywhere on the server. This could be
used to upload executable files into the cgi-bin directory and run
them from the browser, thus allowing an attacker to execute arbitrary
commands on the server.
args.cmd:
This script, found on Website web servers, echos parameters
without checking them for illegal characters. Arbitrary code could be
executed by passing it a parameter containing quote and newline characters.
win-c-sample.exe:
CVE 1999-0178
This script puts input parameters into a fixed-length string without
checking the length of the string, causing a buffer overflow condition.
This condition can be used to execute arbitrary code on the server.
product.asp, product.ast:
CVE 2000-0161
These scripts are sometimes found on Microsoft Site Server 3.0
(Commerce Edition) web servers. The first is part of the Volcano Coffee
sample site. The second is created by the Site Builder wizard. These
scripts accept user input which is put into an SQL query without any
validity checking. A malicious user could supply input which includes
arbitrary SQL commands to Read, Create, Modify, or Delete data.
htsearch:
CVE 2000-0208
This is part of the htdig package. A remote user
can view any file on the system by passing the filename enclosed by
backticks to htsearch as an input parameter.
Versions of htdig prior to 3.1.4 and 3.2.0b1
are vulnerable.
infosrch.cgi:
CVE 2000-0207
This script, found on IRIX systems, allows man pages
and other documentation to be viewed over the web. It does not validate
the "fname" input parameter, which could allow an attacker to execute
arbitrary commands using special shell characters.
ChangeAdminPassword:
This script comes with Cart32, an E-commerce Shopping Cart package.
It allows the administrative password for the Shopping Cart application
to be changed without any knowledge of the previous one. Once the
password is set, it can be used to execute arbitrary commands using
a specially crafted URL.
phf:
It is recommend that you remove the cgi from the cgi-bin directory.
The program is not required to run the web server.
campas:
It is recommend that you remove the cgi from the cgi-bin directory.
The program is not required to run the web server.
handler:
There are patches available from SGI FTP
site.
You may also remove the Outbox subsystem if there is no need for it
being installed.
htmlscript:
Upgrade to the newest version which can be found at the htmlscript.com
website.
php:
The author has the following solution, in the php.h file add the line:
#define PATTERN_RESTRICT ".*\\phtml$"
that will restrict the php.cgi to viewing files with phtml as the extension. The current version can be found http://www.vex.net/php. For more details, see here.
count:
It is recommended to upgrade to the latest
version. An alternative to upgrading is to remove the execute permissions
from the cgi, however, this will cause the counter on the web page not
to work correctly. The rest of the web page should continue to look
the same. For more details, see the CERT advisory.
The version to at least upgrade to is 2.4.
jj:
Since the program is a demo, it is recommend that it be removed from
the cgi-bin directory.
pfdispaly:
CVE 1999-0270
Change the permissions of the cgi: /bin/chmod 500 /var/www/cgi-bin/pfdispaly.cgi
The permission should be -r-x------. BugTraq
has information about the pfdispaly vulnerability.
faxsurvey:
There have been a variety of attempts made to fix the code in faxsurvey.cgi.
However, the best thing to do is remove it from the cgi-bin directory if
there is no need for the cgi.
info2www:
It is recommended that the script is updated to the latest, version
1.2. You can read about the vulnerability at BugTraq.
textcounter:
To fix the vulnerability add the line after line 91 (taken from BugTraq):
$count_page = "$ENV{'DOCUMENT_URI'}";
# the original 91 line ....
$count_page =~ s/([^a-z0-9])/sprintf("%%%02X",$1)/ge;
# ADD THIS !!!!!
aglimpse/glimpse:
GlimpseHTTP
is no longer available for updating, however, there is a new Glimpse interface
called
WebGlimpse. It is recommended
that the system be updated with WebGlimpse.
webgais & websendmail:
The best thing to do is upgrade to the latest version of the WebGAIS
package. After getting the latest version, disable the websendmail
cgi that is included in the package.
perl/perl.exe:
Remove the links and binaries of the perl
interpreter from the cgi-bin directory.
www-sql:
It is recommended that the script is updated to the latest
version.
view_source:
According to BugTraq
it is best to remove the cgi.
Whether any machines on your network are susceptible to this vulnerability or not, you should consider taking this opportunity to examine your entire httpd configuration schemes. In particular, all CGI programs that are not required should be removed, and all those remaining should be examined for possible security vulnerabilities. It is also important to ensure that all child processes of httpd are running as a non privileged user. This is often a configurable option. See the documentation for your httpd distribution for more details.
uploader.exe:
Delete uploader.exe from the system. Use ftp
to upload files.
args.cmd:
Delete args.cmd. It is provided as a sample program
and is not needed on an operational web server.
win-c-sample.exe:
Delete win-c-sample.exe. It is provided as a sample
program and is not needed on an operational web server.
product.asp, product.ast:
Install a patch. See the
Microsoft Security Bulletin for patch information.
htaccess:
Upgrade to the latest version of htdig.
infosrch.cgi:
Remove or disable infosrch.cgi.
ChangeAdminPassword:
On Windows NT, change the permissions on c32web.exe so that it is only accessible
by administrators. On Windows 95 or 98, remove c32web.exe.
Alternatively, apply the patch developed by
L0pht.