Information Disclosure through Default Apache Scripts
As part of a default Apache installation, two default cgi-bin scripts, printenv and test-cgi, are installed. Oracle has included these scripts in the installation of 11i. This script provides information regarding the installation, which could be used in an attack.
Integrigy Security Alert
______________________________________________________________________
Information Disclosure through Default Apache Scripts
July 11, 2002
______________________________________________________________________
Summary:
As part of a default Apache installation, two default cgi-bin scripts, printenv and test-cgi, are installed. Oracle has included these scripts in the installation of 11i. This script provides information regarding the installation, which could be used in an attack.
Product: Oracle E-Business Suite
Versions: 11.5.x - All versions
Platforms: All platforms
Risk Level: Low
______________________________________________________________________
Description:
Oracle iAS is based on the public domain web server Apache. In the default Apache installation are two debugging cgi-bin scripts -- printenv and test-cgi. In early releases, the test-cgi script was vulnerable to numerous attacks. In this versions of Apache and iAS supported by 11i, neither script is dangerous but both provide information to potential attackers.
Here is a sample of some of the information that may be provided --
printenv
FND_TOP=/u01/dev1appl/fnd/11.5.0
ORACLE_HOME=/u01/dev1ora/8.0.6
FORMS60_WEB_CONFIG_FILE=/u01/dev1comn/html/bin/appsweb.cfg
PATH=/u01/dev1ora/iAS/Apache/Apache/bin:/u01/dev1ora/iAS/bin:/u01 ...
test-cgi
SERVER_SOFTWARE = Apache/1.3.9 (Unix) ApacheJServ/1.1 mod_perl/1.21
To access the scripts the URLs are
http://<host name>:<port number>/cgi-bin/printenv
http://<host name>:<port number>/cgi-bin/test-cgi
Solution:
Remove the reference to the default cgi-bin directory in the httpds.conf (or httpd.conf on Windows NT/2000), which is located in the <sid>iAS/Apache/Apache/conf directory.
These scripts may be useful for debugging purposes, so commenting out the section in the httpds.conf is recommended. The section will appear as follows --
#
# ScriptAlias: This controls which directories contain server scripts.
# ScriptAliases are essentially the same as Aliases, except that
# documents in the realname directory are treated as applications and
# run by the server when requested rather than as documents sent to
# the client.
# The same rules about trailing "/" apply to ScriptAlias directives as
# to
# Alias.
#
ScriptAlias /cgi-bin/ "<iAS home path>/iAS/Apache/Apache/cgi-bin/"
#
# "/usr/local/apache/cgi-bin" should be changed to whatever your
# ScriptAliased
# CGI directory exists, if you have that configured.
#
<Directory "<iAS home path>/iAS/Apache/Apache/cgi-bin">
AllowOverride None
Options None
Order allow,deny
Allow from all
</Directory>
#
Place a "#" in front of the "ScriptAlias" and all the lines in the "Directory" section.
Stop and restart Apache using the adapcctl.sh script in order to reload httpds.conf.
Additional Information:
Cert Vulnerability Note VU#717827
______________________________________________________________________
About Integrigy Corporation (www.integrigy.com)
Integrigy Corporation is a leader in application security for large enterprise, mission critical applications. Our application vulnerability assessment tool, AppSentry, assists companies in securing their largest and most important applications. Integrigy Consulting offers security assessment services for leading ERP and CRM applications.
For more information, visit www.integrigy.com.