Common Gateway Interface Interface
(CGI) Access
Impact
Older Web server implementations contained CGI scripts that would allow
the user to access files and execute commands on the server. However,
these scripts did not adequately address security and are exploited to
(1) download system and user files, (2) execute commands as the Web
administrator and (3) contaminate Web pages.
Several problems with Microsoft Internet Information Servers (IIS) are
also addressed here. Many FrontPage installations allow the malicious
user to read, delete, and modify pages on an IIS (and other FrontPage
supported) sites. Also, many IIS distributions have sample programs
enabled that enable the hacker to read, delete, or modify web pages.
A recent (1999) exploit in ColdFusion extensions could enable the malicious
user to alter web pages.
Background
Security vulnerabilities have been reported in numerous CGI scripts, including
webdist.cgi, handler.cgi, phf, htmlscript, view-source, and
php.cgi. These scripts can provide the malicious user access to data and
programs on the Web server host.
Similar vulnerabilities may be present with IIS servers (codebrws and
FrontPage) as well as third part add-ons such as ColdFusion. In addition,
Microsoft's RDS facility is often exploited through IIS.
Resolution
Vendor and Web server patches and workarounds to protect against this
vulnerability are available from Silicon Graphics Inc., the Apache Group,
NCSA, Microsoft, and Allaire (ColdFusion) and should be applied as soon as
possible. A workaround to this problem is to remove the execute permissions
on the offending scripts to prevent their exploitation. If the scripts are
not required, they should be removed from the system.
Where can I read more about this?
You may read more about this vulnerability in
CERT Advisory 97.12. For those interested in reading more about
general WWW security and secure CGI programming, visit the
World Wide Web Security FAQ.
For a description of the IIS and ColdFusion exploits, go to
Phrack Magazine. Information on
Frontpage can be found at
Microsoft and information on RDS can be found at
RDS.
CVE Reference(s):