>Number: 3969 >Category: general >Synopsis: cgi-bin directory is wold readable, causing, when the right >cgi's are in place, a root compromise of the entire system >Confidential: no >Severity: serious >Priority: medium >Responsible: apache >State: open >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Thu Feb 25 19:20:01 PST 1999 >Last-Modified: >Originator: [EMAIL PROTECTED] >Organization: apache >Release: Apache 1.2.4 ( ntx enhanced server - referer/agent 1.0d6 ) >Environment: Apache/1.2.4 ( ntx enhanced server - referer/agent 1.0d6 ) running on BSD/OS >Description: I send the following mail to NTX.net, the company that adapted Apache 1.2.4 into NTX enhanced:
---------->> Hi, As a security analyst, I've been studying your Apache NTX Enhanced WebServer System. In doing this, I was trying to find holes in your security. I just wanted to let you know that I did find one. It seems that anyone can have read access to the remote server's cgi-bin directory. This can lead to compromise of the remote machine if certain cgi's are found on the system. I found this hole by doing a security check on one of the sites you host. The site in question is www.estock.com. By utilizing NetCraft's (www.netcraft.com) WebServer Check I noticed that www.estock.com is running Apache/1.2.4 ( ntx enhanced server - referer/agent 1.0d6 ). This means that this server is vulnerable to breaches in security. Properly exploited, these breaches on the cgi-level of security could lead to a root compromise of your entire system. I would be happy to discuss this and/or other matters of security with you. I look forward to hearing from you. Best regards, f0bic Spl0it Security Team [EMAIL PROTECTED] <<------------- >How-To-Repeat: www.estock.com/cgi-bin is world readable, giving adversaries the possibility of browsing through the cgi-bin directory and finding out critical information about the system. >Fix: The only easy solution that I see is to chmod 700 on the cgi-bin directory >Audit-Trail: >Unformatted: [In order for any reply to be added to the PR database, ] [you need to include <[EMAIL PROTECTED]> in the Cc line ] [and leave the subject line UNCHANGED. This is not done] [automatically because of the potential for mail loops. ] [If you do not include this Cc, your reply may be ig- ] [nored unless you are responding to an explicit request ] [from a developer. ] [Reply only with text; DO NOT SEND ATTACHMENTS! ]