
Protecting Web Servers from Security Holes in Server-Side Includes Jared Karro Jie Wang Division of Computer Science University of North Carolina at Greensboro Greensboro, NC 27402, USA Jared [email protected], [email protected] Abstract languages have also created new security flaws. The study of Web security has therefore become an important is- This paper first investigates and analyzes security sue. Previous research of Web security has been primarily holes concerning the use of Server-Side Includes (SSI) in focused on security flaws in Java [11], ActiveX [1], and some of the most used Web server software packages. We other Web programming environments [10]. The integrity show that, by exploiting features of SSI, one could seri- and security of Web server software packages, however, ously compromise Web server security. For example, we have not seemed to attract much attention. To make things demonstrate how users can gain access to information worse, one could use the World Wide Web without hav- they are not supposed to see, and how attackers can crash ing to use a Java or an ActiveX environment, but one is a Web server computer by having an HTML file execute a forced to use Web server software. Hence, the issue on simple program. Such attacks can be made with no trace the security of Web server software deserves serious con- left behind. We have successfully carried out all the at- sideration. tacks described in this paper on dummy servers we set up Web servers offer certain features that ordinary net- for this investigation. We then suggest several practical work servers do not allow. Such features are useful for security measures to prevent a Web server from such at- users to create dynamic Web documentations. For in- tacks. stance, a Web server may provide certain mechanisms that allow users to automatically update the “date last mod- ified” information of their Web pages. Such features, 1. Introduction however, may also unknowingly give away certain valu- able information to unauthorized Web users. Informa- Computer and network security has been studied in- tion about server computers obtained through Web servers tensely for many years and a number of defense tools, may be used by a malicious user to harm the Web server such as various encryption techniques [15] and firewall in a number of ways, including crashing the Web server technologies [4], have been developed and put in use. computer. Thus, investigating what type of information World Wide Web is a new Internet application; it offers is obtainable from a Web server and what harm can be new concepts and technologies for a large scale, on-line, made by obtaining such information becomes interesting multi-media repository of information, which has created and important, particularly to universities, Internet service many new ways for conducting business and has greatly providers, and other organizations where a variety of users influenced the daily life of many people. But the use of are allowed (and often are encouraged) to create their own World Wide Web has also interjected a new set of secu- home pages. rity problems at the same time. For example, while new Most Web servers support Server-Side Includes (SSI), programming languages such as Java and JavaScript have which can be used to execute CGI (Common Gateway made it easy to produce active Web documents, some of Interface) scripts and echo valuable information to Web the new programming techniques introduced in these new browsers. The ability to do SSI is independent from the Web browsers, making it particularly convenient in the This work was supported in part by the University of North Car- olina at Greensboro under grant 3-19612 and by NSF under grant CCR- multi-browser world we currently live in. Thus, SSI may 9424164. serve as a powerful tool to obtain information and perform other tasks. In this paper, we will discuss flaws and areas on dummy servers we set up for this investigation. These of security concerns on SSI in many of the major Web examples of attacks include methods to crash Web server server software packages used on the Internet. We show computers, to kill other users’ processes, and to have the that, by exploiting features of SSI, a user can gain valuable Web server automatically send out e-mail messages to se- information about a Web server computer as well as do lected individuals. Such attacks can be made with no trace harm to the server. For instance, a user can obtain infor- left behind. In Sections 3 and 4, we show and discuss mation about the server computer configuration and what how to obtain the necessary rights to execute those harm- processes are currently in running on the server computer ful SSI feature even though the user may be denied such and by whom; he can kill a process that does not belong to rights by the default setting of SSI. We analyze the fol- him; and he can even crash the server computer. He can lowing Web server software packages on the UNIX plat- do so from a client computer without having access log forms in Section 3: Apache, Stronghold, Netscape Fast- into the actual server computer. Track 3.0, Zeus Server; and we analyze the following soft- We investigate several Web server software packages ware packages on the Windows platforms in Section 4: for computers running UNIX, Windows 95, and Windows Netscape Fast-Track 2.0, Netscape Enterprise (NT only), NT operating systems. We restrict our discussion to Web and O’reilly WebSite Professional (NT only). The Apache server software packages that are available either free of server, according to a recent survey [12], is the most used charge; or as free, fully functional, evaluation copies. We Web server under UNIX platform. In Section 5 we offer do not intend to cover all Web server software packages in several security measures, based on our investigation and this paper, nor do we intend to include all of the versions analysis of security holes in SSI, to protect Web servers for the Web servers we do discuss. Certain security holes from the attacks we describe in this paper. We hope that found in an early version of a particular Web server soft- this paper will serve as a useful tool to help the reader in ware package may have already been corrected in a newer choosing a suitable Web server and Web environment, as version; but we found that a number of organizations, in- well as a guide for securing his Web server from attacks cluding our own, were/are still using an early version of of these types. certain Web servers, and so we feel that we are obligated to publishing our findings. Findings of this sort may also 2. SSI and security holes help server software developers and server administrators to identify some of the gray areas of security that might We will first show in this section how SSI can be used have been overlooked. to perform certain useful things when users are denied ac- For convenience, in what follows, we will use “Web cess to CGI scripts. We will then show how SSI can be server” to denote “Web server software package” and used to compromise the security of the underlying Web “Web server computer” to denote the computer that runs server. We assume that the user has rights to execute the the server software. We will use “Web viewer” to denote exec and include directives. This opens a door for users the individual who is viewing the Web pages and “Web to create their own scripts (programs), which could be user” to denote the individual who is creating the pages. used to do useful things such as setting up counters, or The “Web facilitator” refers to the UNIX user ID under could be used to do harmful things such as crashing the which all the Web server processes are executed. Depend- server computer. ing on the Web server, the Web facilitator does not need to be an actual user on a UNIX system. In other words, 2.1. Useful Exploitation of Loop Holes the Web facilitator may simply be a fictitious user who does not own a directory nor have explicit rights (in fact, Depending on the server environment, it may become as we will discuss later, it may be safer to use a fictitious necessary for the users to exploit loop holes in SSI to user rather than a real user). For simplicity, we sometimes accomplish certain useful tasks. For instance, the Web omit the word “Web”. server at our university does not allow users to execute This paper is organized as follows. In Section 2, we their own CGI scripts, and it only provides a CGI script for show that one can exploit SSI loop holes to accomplish mailmerge. This means that if we want to set up a counter certain useful tasks on one hand, and to compromise the of visits in our pages, we have to use a service provided by security of the underlying Web server on the other hand. other Web servers outside of the campus. This will slow Since most published works that deal with Web security down the loading of our pages and we cannot guarantee (e.g., [14], [7], and [2]) have only briefly, if at all, men- that the counter will always work. tioned the possible hazards of SSI, we demonstrate several To get around this problem, we wrote a C++ program examples of attacks that we have devised and carried out to look at a log file, count the number of hits on the given page periodically, and output the result with a graphic im- that we started, for instance, did not require logins; thus, age.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages9 Page
-
File Size-