CVE-2018-16716
📋 TL;DR
A path traversal vulnerability in NCBI ToolBox versions 2.0.7 through 2.2.26 allows attackers to read arbitrary files or delete files via specially crafted query strings to nph-viewgif.cgi. This affects systems running the legacy NCBI ToolBox web interface with the vulnerable viewcgi.c component. The vulnerability can lead to significant information disclosure.
💻 Affected Systems
- NCBI ToolBox
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through reading sensitive files like /etc/passwd, /etc/shadow, or application configuration files containing credentials, followed by potential file deletion causing service disruption.
Likely Case
Information disclosure of sensitive files from the web server's filesystem, potentially exposing configuration files, source code, or user data.
If Mitigated
Limited impact with proper file permissions and web server sandboxing, though path traversal could still access files within the web server context.
🎯 Exploit Status
Exploitation requires web access to the vulnerable CGI script; simple HTTP requests with directory traversal sequences can trigger the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.2.27 and later
Vendor Advisory: https://github.com/ncbi/toolbox/issues
Restart Required: Yes
Instructions:
1. Upgrade NCBI ToolBox to version 2.2.27 or later. 2. Replace the vulnerable viewcgi.c file with the patched version. 3. Restart the web server service.
🔧 Temporary Workarounds
Disable vulnerable CGI script
linuxRemove or disable access to nph-viewgif.cgi to prevent exploitation.
mv /path/to/nph-viewgif.cgi /path/to/nph-viewgif.cgi.disabled
chmod 000 /path/to/nph-viewgif.cgi
Web server access restrictions
allConfigure web server to block access to the vulnerable CGI endpoint.
# In Apache: <Location "/cgi-bin/nph-viewgif.cgi">
Deny from all
</Location>
# In nginx: location ~ /cgi-bin/nph-viewgif\.cgi { return 403; }
🧯 If You Can't Patch
- Implement strict file permissions to limit web server user access to sensitive files.
- Deploy a web application firewall (WAF) with path traversal protection rules.
🔍 How to Verify
Check if Vulnerable:
Check if nph-viewgif.cgi exists and is accessible via web, then test with a path traversal payload like '?file=../../../../etc/passwd'.Check Version:
grep -i version /path/to/ncbi/toolbox/README* || echo 'Check documentation files'Verify Fix Applied:
Verify NCBI ToolBox version is 2.2.27+ and test that path traversal attempts return errors or are blocked.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to nph-viewgif.cgi with '..' sequences in query parameters
- Access to unexpected files in web server logs
Network Indicators:
- HTTP GET requests with path traversal patterns (e.g., ../) to the CGI endpoint
SIEM Query:
source="web_server_logs" AND uri="*nph-viewgif.cgi*" AND (query="*..*" OR query="*../*")