HTTP: nph-test-cgi Directory Listing

This signature detects attempts to exploit a known vulnerability in the nph-test-cgi script included with some HTTP daemons. Unauthorized Web client users can access confidential files.

Extended Description

Description as given by Josh Richards: A security hole exists in the nph-test-cgi script included in most UNIX based World Wide Web daemon distributions. The nph-* scripts exist to allow 'non-parsed headers' to be sent via the HTTP protocol (this is not the cause of this security problem, though). The problem is that nph-test-cgi, which prints out information on the current web environment (just like 'test-cgi' does) does not enclose its arguments to the 'echo' command inside of quotes....shell escapes are not possible (or at least I have not found them to be--yet) but shell *expansion* is.... This means that _any_ remote user can easily browse your filesystem via the WWW. This is a bug with the nph-test-cgi script and _not_ the server itself.

Affected Products

Ncsa httpd

References

BugTraq: 686

CVE: CVE-1999-0045

URL: http://www.cert.org/advisories/CA-1997-07.html

Short Name

HTTP:NCSA:NPH-TEST-CGI

Severity

Minor

Recommended

False

Recommended Action

None

HTTP: nph-test-cgi Directory Listing

Extended Description

Affected Products

References

Found a potential security threat?