Topic: Vulnerability in NCSA/Apache CGI example code

R124C41 at R124C41 at
Thu Mar 21 16:24:16 EST 1996

Dear Web4Lib Colleagues,

A couple of security concerns have been circulated to me recently.  I have
not seen them come across our list and so thought I would pass them on.  I do
not think people need to be alarmed--just read and heed where applicable.

--David Ritchie
--R124C41 at AOL.COM
--Naperville, IL USA

Date: Wed, 20 Mar 1996 10:42:21 -0500
Message-Id: <199603201542.KAA15965 at>
From: CERT Advisory <cert-advisory at>
To: cert-advisory at
Subject: CERT Advisory CA-96.06 - Vulnerability in NCSA/Apache CGI example
Reply-To: cert-advisory-request at
Organization: CERT(sm) Coordination Center -  +1 412-268-7090

CERT(sm) Advisory CA-96.06
March 20, 1996

Topic: Vulnerability in NCSA/Apache CGI example code

The text of this advisory was originally released on March 14, 1996,
as AUSCERT Advisory AA-96.01, developed by the Australian Computer
Emergency Response Team. Because of the seriousness of the problem, we
are reprinting the AUSCERT advisory here with their permission. Only
the contact information at the end has changed: AUSCERT contact
information has been replaced with CERT/CC contact information. As
usual, we will place updated information in a README file

Note: The vulnerability described in this advisory is being actively


The Australian Computer Emergency Response Team (AUSCERT) has received
information that example CGI code, as found in the NCSA 1.5a-export and
1.0.3 httpd (and possibly previous distributions of both servers), contains
a security vulnerability.  Programs using this code may be vulnerable to

The CGI program "phf", included with those distributions, is an example of
such a vulnerable program.  This program may have been installed as part of
the installation process for the httpd.

AUSCERT recommends that sites that have installed any CGI program
incorporating the vulnerable code (such as "phf") apply one of the
as described in Section 3.


1.  Description

    A security vulnerability has been reported in example CGI code, as
    provided with the NCSA httpd 1.5a-export and APACHE httpd 1.0.3 (and
    possibly previous distributions of both servers).  The example code
    contains a library function escape_shell_cmd() (in cgi-src/util.c).  This
    function, which attempts to prevent exploitation of shell-based library
    calls, such as system() and popen(), contains a vulnerability.

    Any program which relies on escape_shell_cmd() to prevent exploitation
    of shell-based library calls may be vulnerable to attack.  

    In particular, this includes the "phf" program which is also distributed
    with the example code.  Some sites may have installed phf by default,
    even though it is not required to run httpd successfully.

    Any vulnerable program which is installed as a CGI application may allow
    unauthorised activity on the HTTP server.

    Please note that this vulnerability is not in httpd itself, but in CGI
    programs which rely on the supplied escape_shell_cmd() function.  Any
    HTTP server (not limited to NCSA or Apache) which has installed CGI
    programs which rely on escape_shell_cmd() may be vulnerable to attack.

    Sites which have the source code to their CGI applications available can
    determine whether their applications may be vulnerable by examining the
    source for usage of the escape_shell_cmd() function which is defined in

    Sites which do not have the source code for their CGI applications
    should contact the distributors of the applications for more information.

    It is important to note that attacks similar to this may succeed
    against any CGI program which has not been written with due
    consideration for security.  Sites using HTTP servers, and in
    particular CGI applications, are encouraged to develop an understanding 
    of the security issues involved.  References in Section 4 provide some
    initial pointers in this area.

2.  Impact

    A remote user may retrieve any world readable files, execute arbitrary
    commands and create files on the server with the privileges of the httpd
    process which answers HTTP requests.  This may be used to compromise the
    http server and under certain configurations gain privileged access.

3.  Workarounds

    The use of certain C library calls (including system() and popen()) in
    security critical code (such as CGI programs) has been a notorious source
    of security vulnerabilities.  Good security coding practice usually
    dictates that easily exploitable system or library calls should not be
    used.  While secure CGI coding techniques are beyond the scope of this
    advisory many useful guidelines are available.  

    Sites planning to install or write their own CGI programs are encouraged
    to read the references in Section 4 first.

    3.1.  Remove CGI programs

    Any CGI program which uses the escape_shell_cmd() function and is not
    required should be disabled.  This may be accomplished by removing
    execute permissions from the program or removing the program itself.

    In particular, sites which have installed the "phf" program and do not
    require it should disable it.  The "phf" program is not required to
    run httpd successfully.  Sites requiring "phf" functionality should apply
    one of the workarounds given in sections 3.2 and 3.3.

    3.2.  Rewrite CGI programs

    The intent of the escape_shell_cmd() function is to prevent passing shell
    meta-characters to susceptible library calls.  A more secure approach is
    to avoid the use of these library calls entirely.

    AUSCERT recommends that sites which are currently using CGI programs
    which use shell-based library calls (such as system() and popen())
    consider rewriting these programs to remove direct calls to easily
    compromised library functions.

    Sites should note that this is only one aspect of secure programming
    practice.  More details on this approach and other guidelines for secure
    CGI programming may be found in the references in Section 4.

    3.3.  Recompile CGI programs with patched util.c

    For sites that still wish to use programs using the escape_shell_cmd()
    function, a patched version of cgi-src/util.c has been made available by
    NCSA which addresses this particular vulnerability.  The patched version
    of util.c is available as part of the http1.5.1b3-export distribution.
    This is available from:


    Please note that this is a beta-release of the NCSA httpd and is not a
    stable version of the httpd.  The patched version of cgi-src/util.c may
    used independently.

    CGI programs which are required and use the escape_shell_cmd() should be
    recompiled with the new version of cgi-src/util.c and then reinstalled.

    Apache have reported that they intend to fix this vulnerability in a
    future release.  Until then the patched version of util.c as supplied 
    in the http1.5.1b3-export release should be compatible. 

4.  Additional measures

    Sites should consider taking this opportunity to examine their httpd
    configuration.  In particular, all CGI programs that are not required
    should be removed, and all those remaining should be examined for
    security vulnerabilities.

    It is also important to ensure that all child processes of httpd are
    running as a non-privileged user.  This is often a configurable option.
    See the documentation for your httpd distribution for more details.

    Numerous resources relating to WWW security are available.  The following
    pages provide a useful starting point.  They include links describing 
    general WWW security, secure httpd setup and secure CGI programming.

        The World Wide Web Security FAQ:

        NSCA's "Security Concerns on the Web" Page:

    The following book contains useful information including sections on
    secure programming techniques.

        "Practical Unix & Internet Security", Simson Garfinkel and 
        Gene Spafford, 2nd edition, O'Reilly and Associates, 1996.

    Please note that the URLs referenced in this advisory are not under
    AUSCERT's control and therefore AUSCERT cannot be responsible for their
    availability or content.  Please contact the administrator of the site in
    question if you encounter any difficulties with the above sites.

AUSCERT thanks Jeff Uphoff of NRAO, IBM-ERS, NASIRC and Wolfgang Ley of
DFN-CERT for their assistance.

The AUSCERT team have made every effort to ensure that the information
contained in this document is accurate.  However, the decision to use the
information described is the responsibility of each user or organisation.
The appropriateness of this document for an organisation or individual system
should be considered before application in conjunction with local policies
and procedures.  AUSCERT takes no responsibility for the consequences of
applying the contents of this document.


CERT Contact Information
If you believe that your system has been compromised, contact the CERT
Coordination Center or your representative in the Forum of Incident
Response and Security Teams (FIRST).

We strongly urge you to encrypt any sensitive information you send by email.
The CERT Coordination Center can support a shared DES key and PGP. Contact
CERT staff for more information. 

Location of CERT PGP key

Email    cert at

Phone    +1 412-268-7090 (24-hour hotline)
                CERT personnel answer 8:30-5:00 p.m. EST
                (GMT-5)/EDT(GMT-4), and are on call for
                emergencies during other hours.

Fax      +1 412-268-6989

Postal address
        CERT Coordination Center
        Software Engineering Institute
        Carnegie Mellon University
        Pittsburgh PA 15213-3890

To be added to our mailing list for CERT advisories and bulletins, send your
email address to
        cert-advisory-request at

CERT publications, information about FIRST representatives, and other
security-related information are available for anonymous FTP from

CERT advisories and bulletins are also posted on the USENET newsgroup

CERT is a service mark of Carnegie Mellon University.

More information about the Web4lib mailing list