[Snort-sigs] sid 1652
jaffeld at ...2058...
Mon Dec 8 07:58:05 EST 2003
Note: there is a typo in the rule for 1652 and 1653. Insecure.org published
this as "campus cgi hole" but the exploit uses "campas.cgi" (reference
Summary: cgi script found on version 1.2 of NCSA web server allows retrieval
files outside the web publishing directory structure.
Impact: File retrieval leading to compromise of confidential information,
potential root exploit.
"Francisco Torres" posted information on this one which is repeated on
After connecting to the vulnerable web server, the command:
results in retrieving /etc/passwd
Affected Systems: web servers running very old (1995) version of NCSA web
may have this cgi script installed.
Attacker connects on tcp port 80 (http default port), issues the command and
desired file is retrieved. Attacker must know (or guess) the path to the file
desired. It is not known whether wild cards will work with this exploit.
Ease of Attack:
Trivial for known file paths.
If you have a legitimate cgi script named 'campas.cgi', requests for it will
trigger this alert.
NOTE: the snort rule replicates a typo at insecure.org. As the script
is 'campas.cgi', the rule should not trigger on 'campus.cgi'
Obfuscated web requests might cause an IDS to miss the request.
Delete all unnecessary cgi scripts!
Run web server in chroot jail so access to files outside web service file
For this particular exploit, remove campas.cgi and/or update NCSA web server.
I got a lot of bad ideas in my head.
More information about the Snort-sigs