Common Gateway Interface Interface (CGI) Access

Impact

Older Web server implementations contained CGI scripts that would allow the user to access files and execute commands on the server. However, these scripts did not adequately address security and are exploited to (1) download system and user files, (2) execute commands as the Web administrator and (3) contaminate Web pages.

Several problems with Microsoft Internet Information Servers (IIS) are also addressed here. Many FrontPage installations allow the malicious user to read, delete, and modify pages on an IIS (and other FrontPage supported) sites. Also, many IIS distributions have sample programs enabled that enable the hacker to read, delete, or modify web pages.

A recent (1999) exploit in ColdFusion extensions could enable the malicious user to alter web pages.

Background

Security vulnerabilities have been reported in numerous CGI scripts, including webdist.cgi, handler.cgi, phf, htmlscript, view-source, and php.cgi. These scripts can provide the malicious user access to data and programs on the Web server host.

Similar vulnerabilities may be present with IIS servers (codebrws and FrontPage) as well as third part add-ons such as ColdFusion. In addition, Microsoft's RDS facility is often exploited through IIS.

Resolution

Vendor and Web server patches and workarounds to protect against this vulnerability are available from Silicon Graphics Inc., the Apache Group, NCSA, Microsoft, and Allaire (ColdFusion) and should be applied as soon as possible. A workaround to this problem is to remove the execute permissions on the offending scripts to prevent their exploitation. If the scripts are not required, they should be removed from the system.

Where can I read more about this?

You may read more about this vulnerability in CERT Advisory 97.12. For those interested in reading more about general WWW security and secure CGI programming, visit the World Wide Web Security FAQ.

For a description of the IIS and ColdFusion exploits, go to Phrack Magazine. Information on Frontpage can be found at Microsoft and information on RDS can be found at RDS.

CVE Reference(s):