[UNIX] Apache Discloses Source Code via POST Requests to a Location with WebDAV and CGI enabled

From: support@securiteam.com
Date: 10/31/02 

From: support@securiteam.com
To: list@securiteam.com
Date: 31 Oct 2002 14:44:04 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Apache Discloses Source Code via POST Requests to a Location with WebDAV
and CGI enabled
------------------------------------------------------------------------

SUMMARY

There is an information leakage in Apache that results from an interaction
between WebDAV and CGI.

DETAILS

Vulnerable systems:
 * Apache version 2.0.42

Immune systems:
 * Apache version 2.0.43

Apache allows remote attackers to obtain the source of CGI scripts that
are stored in locations for which both CGI and WebDAV are enabled. When a
POST request is sent to a CGI script on an affected server, this
vulnerability will cause the source code of the script to be returned to
the attacker.

Impact:
Remote attackers can obtain the source code of CGI scripts located on
affected servers.

Solution:
Apply a patch from your vendor

This vulnerability was addressed in Apache version 2.0.43, available at
<http://httpd.apache.org/download.cgi>
http://httpd.apache.org/download.cgi. For vendor-specific information
regarding this issue, please see the Systems Affected section of this
document.

ADDITIONAL INFORMATION

The original advisory can be downloaded by going to:
 <http://www.kb.cert.org/vuls/id/910713>
http://www.kb.cert.org/vuls/id/910713

The information has been provided by CERT.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages

  • Re: Newbie tearing hair out
    ... that apache was configured to execute cgi scripts, ... >> I think you need to configure apache to know that .rb extension files ... >> are to be treated as CGI scripts to be run via the Rub interpreter (or ... >> general experience with this sort of thing with Apache. ...
    (comp.lang.ruby)
  • creating and serving temporary files with apache
    ... I am running Apache, which is running some CGI scripts, which allow a web ... It seems to be clear that allowing apache's user (namely www-data) write ...
    (Debian-User)
  • Re: Need help getting start with a test cgi script.
    ... On Tue, 22 Mar 2005, packat wrote: ... This question appears to be related to misconfiguring Apache, ... but on Unix the ScriptAlias declaration usually denotes where you put your ... CGI scripts; and you stated that you put your CGI script in a different ...
    (comp.lang.perl.misc)
  • Re: Security risks in setting public_html to 777?
    ... > I'm running a web server, and I want some CGI scripts to be able to ... You'll only need that if the web server is running as a user ... that - as an example, with Apache, suexec can be used to let the cgi apps ...
    (comp.os.linux.security)