This issue can be exploited by an attacker by passing the following request to the targeted Apache server:
POST /cgi-bin/setTracerouteCfg HTTP/1.0 Host: example.com User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Content-Length: 51 command=&field1=value1&field2=value2
To trigger this vulnerability, a user needs to send a command of the form “set=value1&field1=value2” with a value of “&field2=value2”.
Safety tips:
Ensure that you are targeting the right version of your server software by ensuring it has been deployed with the “--enable-cgi” option.
If you're running Apache on a web server, make sure you have strict Content-Security-Policy rules in place to prevent cross-site scripting vulnerabilities.
Ensure that your web server is configured to block command injection and other types of attacks via HTTP headers.
Fix ing this vulnerability
This vulnerability can be fixed by changing the HTTP request as follows:
setTracerouteCfg=%{REQUEST_URI}
In order to fix this vulnerability, an attacker would have to send a request of the form “set=%{REQUEST_URI}”.
Exploiting the vulnerability
An attacker could exploit this vulnerability by passing the following request to the targeted Apache server:
POST /cgi-bin/setTracerouteCfg HTTP/1.0 Host: example.com User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Content-Length: 51 command=&field1=value1&field2=value2
To trigger this vulnerability, a user needs to send a command of the form “set=value1&field1=value2” with a value of “&field2=value2”.
Timeline
Published on: 08/25/2022 15:15:00 UTC
Last modified on: 08/26/2022 17:13:00 UTC