2007-05-23
The danger of a web server writeable document area
Once you have CGI programs running through your web server, you might rationally ask why allowing them to write into the web server's document area adds any extra danger: after all, if a CGI program is compromised, the attacker gets to run all the code they want anyways.
Well, in theory. The flaw in this theory is that there are different kinds of vulnerabilities.
In practice it turns out that 'file dropper' vulnerabilities, where a CGI program (especially PHP programs) can be tricked into writing attacker-supplied files to an attacker-supplied location, are much more common than code execution vulnerabilities, where an attacker can make your CGI actually run their code. In a sense, this shouldn't be too surprising; many CGI programs already write files and thus just need to be tricked about where to put them and what to put in them, but few dynamically execute code to start with.
(Dynamic code execution gets most of the press anyways for various reasons, including that it is the most dangerous sort of vulnerability.)
If you have a file dropper exploit and can write to some place where the files will be executed, you can bootstrap to running your own code; the classical case is to drop PHP files into the document area of a web server that runs PHP. Nor are you entirely safe with a static file document area; planting HTML files is enough to infect your web site with spam pages and attempts to exploit browser vulnerabilities, both of which can be lucrative activities.
And even if an attacker has fully compromised a CGI program, they may
want to stick their own program into your web server setup so that they
can hide better. Often exploiting the CGI's vulnerability may leave very
odd log messages that you might notice in time, whereas with their own
crafted program the cracker can just send bland looking POST
requests
and you'll never be the wiser.
(For example, something we saw here dropped a Bzip.php file into a directory that already had legitimate Tar.php and Zip.php files. The meticulous will notice this anyways, but more casual people could overlook it for some time.)