Signature Detail

HTTP: nph-test-cgi Directory Listing

This signature detects attempts to exploit a known vulnerability in the nph-test-cgi script included with some HTTP daemons. Unauthorized Web client users can access confidential files.

Extended Description

Description as given by Josh Richards: A security hole exists in the nph-test-cgi script included in most UNIX based World Wide Web daemon distributions. The nph-* scripts exist to allow 'non-parsed headers' to be sent via the HTTP protocol (this is not the cause of this security problem, though). The problem is that nph-test-cgi, which prints out information on the current web environment (just like 'test-cgi' does) does not enclose its arguments to the 'echo' command inside of quotes....shell escapes are not possible (or at least I have not found them to be--yet) but shell *expansion* is.... This means that _any_ remote user can easily browse your filesystem via the WWW. This is a bug with the nph-test-cgi script and _not_ the server itself.

Affected Products

• Apache Software Foundation Apache 0.8.11
• Apache Software Foundation Apache 0.8.14
• Apache Software Foundation Apache 1.0.0
• Apache Software Foundation Apache 1.0.2
• Apache Software Foundation Apache 1.0.3
• Apache Software Foundation Apache 1.0.5
• Apache Software Foundation Apache 1.1.0
• NCSA httpd 1.3.0
• NCSA httpd 1.4.0
• NCSA httpd 1.4.1
• NCSA httpd 1.4.2
• NCSA httpd 1.5.0 a-export
• NCSA httpd 1.5.1
• NCSA httpd 1.5.2
• NCSA httpd 1.5.2 a
• Netscape Commerce Server 1.12.0
• Netscape Communications Server 1.1.0
• Netscape Communications Server 1.12.0
• Netscape Enterprise Server 2.0.0 a

References

• BugTraq: 686
• CVE: CVE-1999-0045
• URL: http://www.cert.org/advisories/CA-1997-07.html