/
/
Introduction to Common Gateway Interface and CGI vulnerabilities

Introduction to Common Gateway Interface and CGI vulnerabilities

Article
July 25, 2018
Profile Icon

Jason Franscisco

Introduction:

One simple way to create a server-side dynamic web page which displays different content each time it is viewed is the Common Gateway Interface (CGI). This post will help you understand what a CGI is, how it works and how the CGI-enabled web server is vulnerable to various attacks.

What is a CGI?

Common Gateway Interface, commonly known as CGI, is a specification defined by W3C which helps a web server to render dynamic web pages i.e. creating a customized response based on the request received from the client (user). To generate a response for the request received, a CGI program calls other applications on the server to create a user-specific response. On finishing the required operations, the CGI program returns the output to the web server which then sends a response back to the client (user).

The primary objective of CGI programs is to access other running applications on the server. For example, an interactive web server can use CGI to search for documents, to run authorized commands on the server or to store the information in the server. The CGI program is intelligent enough to detect and provide user-specific information by verifying the authenticity of a user. Most likely, Dropbox uses CGI to provide the user-specific data. However, one could misuse the implementation of CGI scripts to perform unauthorized actions. Most of the web servers will have a directory 'cgi-bin' which contains CGI scripts to call other applications on the server. Exploiting these scripts leaves us vulnerable, giving access to the attackers.

Known vulnerabilities of CGI

CVE-1999-0174 -The view-source CGI program allows remote attackers to read arbitrary files via a .. (dot dot) attack.

CVE-1999-0237 -Remote execution of arbitrary commands through Guestbook CGI program.

CVE-1999-0260 -The jj CGI program allows command execution via shell metacharacters.

PHF Attack:

The purpose of PHF script, which is installed in 'cgi-bin' directory by default, is to provide an example of "Phone Book" functionality on the Web. Misusing the implementation of PHF script allows the attacker to perform unauthorized actions. Internally, this script uses a function 'escape_shell_cmd()' which failed to escape special characters like newline (\n or 0x0a). This allows any skilled attacker to construct a URL appending '%0a' to retrieve sensitive information like passwords as shown below

By observing the query string of the URL, the attacker has added a new line code (%0a) and has issued a simple viewing of /etc/passwd via the cat command. The %20 represents an ASCII value for a blank line.

Besides the PHF attack, an attacker took leverage over another script called 'test-cgi' which is installed by default in 'cgi-bin' to the environment variables while processing the server requests. Again, lack of input validation 'test-cgi' left the web server vulnerable allowing an attacker to gain sensitive information with simple malformed URL as shown below

payload: http://www.target-website.com/cgi-bin/test-cgi?Qalias=x%0a/bin/cat%20/etc/passwd

There are few other widely exploited CGI scripts: php.cgi, handler, webgais, websendmail, webdist.cgi

count.cgi - The script is used to count the number of hits for the web pages.

viewsrc.cgi - The script is used to view the source code

payload: http://www.target-website.com/cgi-bin/viewsrc.cgi?loc=../anyfile

Also, using CGI in a web server may leads to denial-of-service. As CGI creates a new process on every request which is again a significant consumption of resource. This may lead to denial-of-service when there are too many requests being processed.

Protection against CGI vulnerabilities

  • Allowing an attacker to run a CGI script arbitrarily in the file system leaves the web server vulnerable. To prevent these vulnerabilities follow the below tips to secure your web server.
  • Use Intrusion Prevention System and Intrusion Detection System. This is really best way to prevent unauthorized access. Two most widely used tools are 'CGI-IDS' and 'ModSecurity'
  • Secure coding practices is most important when it comes to CGI. Poorly written code will let the server vulnerable. Do not let users to manipulate with input through these functions 'eval()', 'popen()', 'system()'. Though server side include (SSI) have their own benefits, do not implement it without applying proper authorization.
  • Apache provides the ScriptAlias directive in the 'httpd.conf' configuration file, with the syntax ScriptAlias aliasname "/path/to/cgi/directory"
  • Don't use any method for spawning a program that uses any sort of shell to run the program. Stick exclusively to execv.
  • There is another variant of CGI called 'Fast-CGI' which results in better performance and security.
  • One can write a custom script to detect CGI attacks via HTTP requests. System Administrator can rule out the IP addresses which seems suspicious
  • Test your CGI-enabled web server with 'Whisker CGI Scanner' or Nikto which are good to have tools with many impressive features

Other references: https://tools.ietf.org/html/rfc3050

Credit: ACE Team - Loginsoft

Explore Cybersecurity Platforms

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros.

Learn more
white arrow pointing top right

About Loginsoft

For over 16 years, leading companies in Telecom, Cybersecurity, Healthcare, Banking, New Media and more have come to rely on Loginsoft as a trusted resource for technology talent. Whether Onsite, Offsite, or Offshore, we deliver.

Loginsoft is a leading Cybersecurity services company providing Security Advisory Research to generate metadata for vulnerabilities in Open source components, Discovering ZeroDay Vulnerabilities, Developing Vulnerability Detection signatures using MITRE OVAL Language.

Expertise in Integrations with Threat Intelligence and Security Products, integrated more than 200+ integrations with leading TIP, SIEM, SOAR and Ticketing Platforms such as Cortex XSOAR, Anomali, ThreatQ, Splunk, IBM QRadar, IBM Resilient, Microsoft Azure Sentinel, ServiceNow, Swimlane, Siemplify, MISP, Maltego, Cryptocurrency APIs with Digital Exchange Platforms, CISCO, Datadog, Symantec, Carbonblack, F5, Fortinet and so on.

Interested to learn more? Let’s start a conversation.

Book a meeting

IN-HOUSE EXPERTISE

Latest Articles

Get practical solutions to real-world challenges, straight from experts who conquered them.

View all our articles

Sign up to our Newsletter