INFORMATION ALERT


AN EMERGING ISSUE WITH:
REMOTE COMMAND EXECUTION IN APACHE FOR WINDOWS


SEVERITY:
Medium

DATE:
March 22, 2002


SUMMARY:

In a post to Bugtraq on March 21, Ory Segal described a flaw in how
Apache for Windows handles certain CGI scripts. A hacker could
exploit this flaw to remotely view files and execute commands on
your system. There is no direct impact on WatchGuard products.
Administrators using Apache for Windows should upgrade to v1.3.24.


EXPOSURE:

Apache supports using CGI <http://www.webopedia.com/TERM/C/CGI.html>
to allow Web administrators to create dynamic content on their Web
sites. The Windows version of Apache can use DOS batch files (.bat
and .cmd files) as CGI scripts.

Ory Segal has found a flaw in the way Apache for Windows v1.3.23 and
v2.0.28-BETA handle DOS batch scripts. Essentially, Apache does not
validate the parameters a remote user sends to a DOS batch script.
Because of this, a hacker could craft a URL that calls your DOS
batch script in a way that allows him to execute commands. The
hacker could exploit this flaw to learn vital information about your
server, read arbitrary files on it, or deface your Web site.

You are only vulnerable to this flaw if your Apache Web site
includes any publicly accessible DOS batch scripts. These scripts
are usually found in Apache's \cgi-bin\ directory with either the
.bat or .cmd extension. By default, Apache v1.3.23 doesn't include
any of these scripts. However, Apache v2.0.28-BETA does include
test-cgi.bat by default.


SOLUTION PATH:

Apache for Windows v1.3.24 (and v2.0.34-BETA) fix this
vulnerability. Apache for Windows v1.3.24 is available now. If you
use DOS batch scripts on your Web site, we recommend you download
and install the v1.3.24 from Apache's Web site
<http://www.apache.org/dist/httpd/> (The Windows version is
apache_1.3.24.zip <http://www.apache.org/dist/httpd/apache_1.3.24.zip>).
Administrators can also remove any publicly available DOS batch
scripts to avoid this attack.