HTTP CGI Access

Impact

Local and remote users may be able to execute arbitrary commands on the HTTP server with the privileges of the httpd daemon. This may be used to compromise the HTTP server and, under certain configurations, gain privileged access.

Background

A security vulnerability has been reported in the webdist.cgi cgi-bin program available with IRIX 5.x and 6.x. webdist.cgi is part of the IRIX Mindshare Out Box software package, which allows users to install software over a network via a World Wide Web interface. webdist.cgi allows webdist(1) to be used via an HTML form interface defined in the file webdist.html, which is installed in the default document root directories for both the Netsite and Out Box servers. Due to insufficient checking of the arguments passed to webdist.cgi, it may be possible to execute arbitrary commands with the privileges of the httpd daemon. This is done via the webdist program. When installed, webdist.cgi is accessible by anyone who can connect to the httpd daemon. Because of this, the vulnerability may be exploited by remote users as well as local users. Even if a site's webserver is behind a firewall, it may still be vulnerable.

Resolution

Vendor patches to protect against this vulnerability are available from Silicon Graphics Inc., and they should be applied as soon as possible. A workaround to this problem is to immediately remove the execute permissions on the webdist.cgi program to prevent its exploitation. If the Webdist software is not required, it should be removed from the system entirely.

Whether any machines on your network are susceptible to this vulnerability or not, you should consider taking this opportunity to examine your entire httpd configuration schemes. In particular, all CGI programs that are not required should be removed, and all those remaining should be examined for possible security vulnerabilities. It is also important to ensure that all child processes of httpd are running as a non-privileged user. This is often a configurable option. See the documentation for your httpd distribution for more details.

Where can I read more about this?

You may read more about this vulnerability in CERT Advisory 97.12. For those interested in reading more about general WWW security and secure CGI programming, visit the World Wide Web Security FAQ.