A complete revision history is at the end of this file.
Because of ongoing activity relating to a vulnerability in the nph-test-cgi script included with some http daemons, the CERT Coordination Center staff is issuing this recommendation to check your cgi-bin directory. By exploiting this vulnerability, users of Web clients can read a listing of files they are not authorized to see.
The CERT/CC team recommends removing the script from your system and checking Appendix A of this advisory for information provided by vendors.
We also urge you to read CERT advisory CA-96.06.cgi_example_code for another CGI-related vulnerability that continues to be exploited.
We will update this advisory as we receive additional information. Please check advisory files regularly for updates that relate to your site.
If you find the script, we urge you to either remove the program itself or remove the execute permissions from the program. The nph-test-cgi program is not required to run httpd successfully.
Also note that a web server may have multiple cgi-bin directories. It is not sufficient to look in the regular location only. For example, in the NCSA HTTPd server, you can specify alternate locations for the scripts by setting the ScriptAlias directive in the srm.conf file. See your vendor's documentation to learn if your sever provides this feature. If you are using this feature, you need to remove the nph-test-cgi script or apply the workaround below in every cgi-bin directory.
echo QUERY_STRING = $QUERY_STRING
should read
echo QUERY_STRING = "$QUERY_STRING"
Note: Even if your vendor did not ship the nph-test-cgi script, you should check your cgi-bin directory in case someone at your site added such a script later.
The World Wide Web Security FAQ:
http://www-genome.wi.mit.edu/WWW/faqs/www-security-faq.html
NSCA's "Security Concerns on the Web" Page:
http://hoohoo.ncsa.uiuc.edu/security/
The following book contains useful information, including sections on secure programming techniques.
Practical Unix & Internet Security, Simson Garfinkel and Gene Spafford, 2nd edition, O'Reilly and Associates, 1996.
(Note that we provide these pointers for your convenience. As this is not CERT/CC material, we cannot be responsible for content or availability. Please contact the administrators of the sites if you have difficulties with access.)
Test cgi programs are not intended to be left on an operational server. If using the NCSA HTTPd server for operational use, many configuration issues must be addressed. Among those issues is the use of cgi scripts. No script should be run on a server that has not been carefully reviewed. This is especially true for the test scripts, which were never intended to be left on an operational server.
Users of NCSA HTTPd should be running the most current version (1.5.2a) to ensure that security patches are implemented. Test cgi scripts should be removed from cgi-bin directories before putting a server in operational use.
Please see http://hoohoo.ncsa.uiuc.edu/security for further details on securely installing the NCSA HTTPd server.
To report security vulnerabilities in NCSA products, email the NCSA Incident Response and Security Team (irst@ncsa.uiuc.edu).
NCSA is a trademark of the University of Illinois Board of Trustees.
The CERT Coordination Center thanks David Kennedy of the National Computer Security Association, Ken Rowe of the NCSA(tm) IRST, and Josh Richards for providing information about this problem.
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.
We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from
If you prefer to use DES, please call the CERT hotline for more information.
CERT publications and other security information are available from our web site
To subscribe to the CERT mailing list for advisories and bulletins, send email to
majordomo@cert.org. Please include in the body of your
message
subscribe cert-advisory
* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.
NO WARRANTY
Any material furnished by Carnegie Mellon University and the
Software Engineering Institute is furnished on an "as is"
basis. Carnegie Mellon University makes no warranties of any kind,
either expressed or implied as to any matter including, but not
limited to, warranty of fitness for a particular purpose or
merchantability, exclusivity or results obtained from use of the
material. Carnegie Mellon University does not make any warranty of any
kind with respect to freedom from patent, trademark, or copyright
infringement.
Copyright 1997 Carnegie Mellon University.
September 26, 1997 Updated copyright statement February 21, 1997 Acknowledgements - corrected organization names.