| VID |
22016 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
The Apache 2.0.x Win32 installation is shipped with a default script, /cgi-bin/test-cgi.bat, that allows an attacker to execute commands on the Apache server with SYSTEM privileges via a pipe character '|'.
Apache for Win32 before 1.3.24, and 2.0.x before 2.0.34-beta, contain serious problems in handling requests for a DOS batch (.bat) or .cmd script from incoming web requests. When a request for a DOS batch file (.bat or .cmd) is sent to an Apache web server, the server will spawn a shell interpreter (cmd.exe by default) and will run the script with the parameters sent to it by the user. Because no proper validation is done on the input, it is possible to send a pipe character ('|') with commands appended to it as parameters to the CGI script, and the shell interpreter will execute them.
Vulnerable systems:
* Apache version 1.3.(6~23) win32
* Apache version 2.0.28-BETA win32 (By default includes /cgi-bin/test-cgi.bat file which enables this attack)
* Apache version 2.0.32 -BETA win32
* References:
http://online.securityfocus.com/bid/4335
http://marc.theaimsgroup.com/?l=bugtraq&m=101674082427358&w=2 |
| Recommendation |
If you are not use 'test-cgi.bat' CGI file, remove it from /cgi-bin/ virtual directory.
-- OR --
Upgrade your Apache web server to: 1.3.24, or 2.0.34-beta (which will be published soon). Download files are located at:
http://www.apache.org/dist/httpd/ |
| Related URL |
CVE-2002-0061 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
