| Author |
|
Rasheed_itsme
Joined: 02 Jul 2014
Posts: 12
Location: India
|
 Posted: Tue 30 Jun '15 16:58 Post subject: Solution for 42054 - CGI Generic SSI Injection vulnerability |
 |
|
Hi,
I need a help from you guys , hope your help will resolve our issue.
We are running apache webserver which was scanned for vulnerabilities. We got the below result from the scan
*****************************************************************
42054 - CGI Generic SSI Injection
Synopsis
Arbitrary code may be run on the remote server.
Description
The remote web server hosts CGI scripts that fail to adequately sanitize request strings. They seem to be vulnerable
to an 'SSI injection' attack. By leveraging this issue, an attacker may be able to execute arbitrary commands on the
remote host.
See Also
[en.wikipedia.org...]
[owasp.org...]
[projects.webappsec.org...]
Solution
Disable Server Side Includes if you do not use them. Otherwise, restrict access to any vulnerable scripts and contact
the vendor for a patch or upgrade.
*****************************************************************
We did the below changes in httpd.conf file
1) Options -ExecCGI -FollowSymLinks -Indexes
2) <Directory />
Options -Includes
</Directory>
3) "--disable-cgi" \
"--disable-proxy-scgi" \
But still the vulnerability exists.
Later we removed those changes.
i am sharing the httpd.conf file, please have a look and tell me where it goes wrong.
Kindly please tell me where i have to do the modification to resolve this vulnerability.
Moderator note:
Moved your post to the correct forum
Moved httpd.conf to http://apaste.info/3DB
Next time read the forum rules and see the top at the post page: Paste only (small) relevant parts or use a pastbin, for example http://apaste.info/ (recommended) or http://pastebin.com/ |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg
|
| Posted: Wed 01 Jul '15 10:58 Post subject: |
|
|
| did you disable server side includes? |
|
| Back to top |
|
Rasheed_itsme
Joined: 02 Jul 2014
Posts: 12
Location: India
|
| Posted: Thu 02 Jul '15 7:18 Post subject: |
|
|
Hi, How to confirm whether Server side include is disabled by seeing the configuration?.
I checked the LoadMoudle entry for the Includes is comment out. I checked the httpd.conf and the options directive is not having (+) anywhere . Example options +include
So i thought server side incide configuratin not exists but in vulnearbility scan its getting detected. hence i have shared the httpd.conf file, Please have a look and let us know any changed i need to do in the httpd.conf file. |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg
|
| Posted: Thu 02 Jul '15 16:33 Post subject: |
|
|
| Which linux are you using? |
|
| Back to top |
|
glsmith
Moderator
Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA
|
| Posted: Fri 03 Jul '15 5:41 Post subject: |
|
|
create a text file and name it test.shtml
inside that file put 2 lines in it
| Code: | <!--#echo var="HTTP_USER_AGENT" -->
<!--#exec cmd="ls" --> |
upload to the server and call it's url with your browser.
If you see the your browser's user agent string, then SSI is working
If you see the file listing of the directory, the SSI exec is working.
If you see nothing at all, then SSI is disabled. If you view source in your browser, you will see those two lines, but they are simply html comments because the server is not parsing them. |
|
| Back to top |
|
Rasheed_itsme
Joined: 02 Jul 2014
Posts: 12
Location: India
|
| Posted: Mon 06 Jul '15 4:13 Post subject: |
|
|
Hi ,
Thank you for sharing the information. I asked application team to find whether they are using any cgi in their application.
They said when they remove two html files as these files were creating CGI code they are not getting the CGi vulnerability. Now they want is to remove the CGi vulnerability without removing these two files.
I understood by this statement as they are using CGI in their application.
Could you please tell me its not possible to remove the vulnerability if they use CGI in their application ?
Is there anything we can do to fix the vulnerability as well as they have to use CGI?
In other word application should use the CGI but they should not get this vulnerability. Is it possible? |
|
| Back to top |
|
Rasheed_itsme
Joined: 02 Jul 2014
Posts: 12
Location: India
|
| Posted: Mon 06 Jul '15 6:47 Post subject: |
|
|
Hi,
Below is the html code, But I couldn't see any cgi or SSI related reference in this. may be I am not aware of it like you people know hence i shared here. Please tell me whether any such thing is there in this file. They removed this file and then the vulnerability is not detected they told. But they want to use this file. There is two file which was removed. I am sharing here one.
Admin note, second warning.
Moved the html code file to http://apaste.info/Ta4
|
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg
|
| Posted: Wed 08 Jul '15 23:05 Post subject: |
|
|
In that code I can't see anything dynamic. Are you sure you got the source code and not the generated code?
P.S.: Use patebin or apaste! |
|
| Back to top |
|
Rasheed_itsme
Joined: 02 Jul 2014
Posts: 12
Location: India
|
| Posted: Wed 15 Jul '15 13:05 Post subject: |
|
|
Hello,
Sorry for the delay. I was checking with application user about the html file.
They had <DIR></DIR> in their html file when the vulnerability detected.
But after they removed <DIR></DIR> from the html file. This vulnerability is not detected.
I am not sure how this tag is related with "CGI Generic SSI Injection"
Can you please share your input on this.
It seems many html files recently detected with this vulnerability and its difficult to change html file content in every file so trying to see if we can do anything from webserver end instead of changing every html file |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg
|
| Posted: Wed 15 Jul '15 14:11 Post subject: |
|
|
| <DIR> is an older version of <ul>. Maybe the scanner "thinks" that it is a command to list files. But it is harmless. |
|
| Back to top |
|
