Information Disclosure through Default Apache Scripts

As part of a default Apache installation, two default cgi-bin scripts, printenv and test-cgi, are installed. Oracle has included these scripts in the installation of 11i. This script provides information regarding the installation, which could be used in an attack.

Integrigy Security Alert

______________________________________________________________________

 

Information Disclosure through Default Apache Scripts

July 11, 2002

______________________________________________________________________

 

Summary:

 

As part of a default Apache installation, two default cgi-bin scripts, printenv and test-cgi, are installed. Oracle has included these scripts in the installation of 11i. This script provides information regarding the installation, which could be used in an attack.

 

Product:    Oracle E-Business Suite

Versions:   11.5.x - All versions

Platforms:  All platforms

Risk Level: Low

______________________________________________________________________

 

Description:

 

Oracle iAS is based on the public domain web server Apache. In the default Apache installation are two debugging cgi-bin scripts -- printenv and test-cgi. In early releases, the test-cgi script was vulnerable to numerous attacks. In this versions of Apache and iAS supported by 11i, neither script is dangerous but both provide information to potential attackers.

 

Here is a sample of some of the information that may be provided --

 

printenv

  FND_TOP=/u01/dev1appl/fnd/11.5.0

  ORACLE_HOME=/u01/dev1ora/8.0.6

  FORMS60_WEB_CONFIG_FILE=/u01/dev1comn/html/bin/appsweb.cfg

  PATH=/u01/dev1ora/iAS/Apache/Apache/bin:/u01/dev1ora/iAS/bin:/u01 ...

 

test-cgi

  SERVER_SOFTWARE = Apache/1.3.9 (Unix) ApacheJServ/1.1 mod_perl/1.21

 

To access the scripts the URLs are

 

  http://<host name>:<port number>/cgi-bin/printenv

  http://<host name>:<port number>/cgi-bin/test-cgi

 

Solution:

 

Remove the reference to the default cgi-bin directory in the httpds.conf (or httpd.conf on Windows NT/2000), which is located in the <sid>iAS/Apache/Apache/conf directory.

 

These scripts may be useful for debugging purposes, so commenting out the section in the httpds.conf is recommended. The section will appear as follows --

 

  #

  # ScriptAlias: This controls which directories contain server scripts.

  # ScriptAliases are essentially the same as Aliases, except that

  # documents in the realname directory are treated as applications and

# run by the server when requested rather than as documents sent to

# the client.

# The same rules about trailing "/" apply to ScriptAlias directives as  

# to

  # Alias.

  #

  ScriptAlias /cgi-bin/ "<iAS home path>/iAS/Apache/Apache/cgi-bin/"

  #

# "/usr/local/apache/cgi-bin" should be changed to whatever your

# ScriptAliased

  # CGI directory exists, if you have that configured.

  #

  <Directory "<iAS home path>/iAS/Apache/Apache/cgi-bin">

   AllowOverride None

   Options None

   Order allow,deny

   Allow from all

  </Directory>

  #

 

Place a "#" in front of the "ScriptAlias" and all the lines in the "Directory" section.

 

Stop and restart Apache using the adapcctl.sh script in order to reload httpds.conf.

 

Additional Information:

 

Cert Vulnerability Note VU#717827

 

______________________________________________________________________

 

About Integrigy Corporation (www.integrigy.com)

 

Integrigy Corporation is a leader in application security for large enterprise, mission critical applications. Our application vulnerability assessment tool, AppSentry, assists companies in securing their largest and most important applications. Integrigy Consulting offers security assessment services for leading ERP and CRM applications.

 

For more information, visit www.integrigy.com.

 

 

Share this post