On Wed, Aug 09, 2006 at 10:15:42AM -0000, susam.pal@xxxxxxxxx wrote: > ADVISORY NAME: > CGI Script Source Code Disclosure Vulnerability in Apache for Windows ... > But a similar configuration isn't safe in Windows. For instance:- > > # Sample Unsafe Configuration for Windows > DocumentRoot "C:/Documents and Settings/webmaster/site/docroot" > ScriptAlias /cgi-bin/ "C:/Documents and Settings/webmaster/site/docroot/cgi-bin/" > > If the scripts' directory (represented by 'ScriptAlias') lies inside > the document-root directory (represented by 'DocumentRoot') and the > name of the script-alias is same as that of the directory containing > the scripts then the attacker can obtain the source code of the CGI > scripts by making a direct request to 'http://[target]/CGI-BIN/foo'. This is not a security vulnerability in the server, but rather a serious misconfiguration of the ScriptAlias Directive. ScriptAlias exists to allow CGI scripts to be stored in a directory outside of the document tree. Common convention is never to include cgi-bin within the document tree. Regards, Joe Orton
