Security risk in NCSA httpd version 1.42

Under certain conditions, you can force the httpd daemon to return the
source code for any scripts contained in /cgi-bin.  This behavior
is not exhibited by Netscape's, or CERN's daemon.  It appears that
this behavior is also present in Version 1.5 as the pertinent
source code is identical.  I do not have that version running, so
it is not possible to test it directly.
  This security hole only presents itself for systems with cgi-bin
directories contained within their DocumentRoot directories.  You
can access the source code by adding multiple "/" preceeding the
cgi-bin portion of the URL.  If indexing is turned on, you can
get a full listing of all files within the cgi-bin directory.
Example URL's follow:                                                         

     URL:    http://www.foo.com//cgi-bin/
     URL:    http://www.foo.com///cgi-bin/man.pl

  The daemon fails to detect this as a cgi-bin redirect, then
parses the file ///cgi-bin/man.pl from your document root.  Since
the multiple slashes are legal syntax in UNIX, the daemon returns
the file as straight text.  This provides potential hackers a
glimpse at what measures you have taken (or haven't taken) to
thwart their access.
  In perusing the httpd source, the problem appears located in
routine "translate_name" in file "http_alias.c".  An alias table
is built up for string comparisons with the incoming URL.  At
startup, this table is loaded with the value of ScriptAlias in
your configuration files, generally "/cgi-bin".  Comparing
"/cgi-bin" with "//cgi-bin" fails, and the file is returned to
the browser as straight text.
  The short term workaround is listed below.  Basically, the URL
is scanned for multiple slashes as far up the processing pipeline
as possible.  As far as I can determine, this is within function
"unescape_url" in file "util.c".



void unescape_url(char *url) {
    register int x,y;
/*
 *  Remove multiple slashes in URL in place.
 */
    char *src  = url;
    char *dest = url;

    for (; src && *src; src++) {
      if (*src == '/' && *(src+1) == '/') continue;
      *dest++ = *src;
    }
    *dest = '\0';
/*
 *  End Modification
 */

    for(x=0,y=0;url[y];++x,++y) {
        if((url[x] = url[y]) == '%') {
            url[x] = x2c(&url[y+1]);
            y+=2;
        }
    }
    url[x] = '\0';
}
Remember, this hole is ONLY seen if your cgi-bin directory is
located in your DocumentRoot directory.