Multiple Vendor test-cgi Directory Listing Vulnerability

Bugtraq ID:	2003
Class:	Input Validation Error
CVE:
Remote:	Yes
Local:	Yes
Published:	Apr 01 1996 12:00AM
Updated:	Apr 01 1996 12:00AM
Credit:	Disclosed in a L0pht (now @stake) advisory, April 1996.
Vulnerable:	NCSA httpd 1.5.2 a NCSA httpd 1.5.2 NCSA httpd 1.5.1 NCSA httpd 1.5 a-export NCSA httpd 1.4.2 NCSA httpd 1.4.1 NCSA httpd 1.4 NCSA httpd 1.3 Apache Apache 1.0.5 Apache Apache 1.0.3 Apache Apache 1.0.2 Apache Apache 1.0 Apache Apache 0.8.14 Apache Apache 0.8.11
Not Vulnerable:

Multiple Vendor test-cgi Directory Listing Vulnerability

NCSA HTTPd and comes with a CGI sample shell script, test-cgi, located by default in /cgi-bin. This script does not properly enclose an "ECHO" command in quotes, and as a result "shell expansion" of the * character can occur under some configurations. This allows a remote attacker to obtain file listings, by passing *, /*, /usr/* etc., as variables. The ECHO command expands the * to give a directory listing of the specified directory. This could be used to gain information to facilitate future attacks. This is identical to a problem with another sample script, nph-test-cgi. See references.

Multiple Vendor test-cgi Directory Listing Vulnerability

http://target/cgi-bin/test-cgi?/*
http://target/cgi-bin/test-cgi?*

Multiple Vendor test-cgi Directory Listing Vulnerability

References:

• Multiple Vendor nph-test-cgi Vulnerability (SecurityFocus)