[4031] in WWW Security List Archive
Re: Front-Page extensions?
daemon@ATHENA.MIT.EDU (Leonid S Knyshov)
Wed Jan 22 02:20:49 1997
To: www-security@ns2.rutgers.edu
Date: Tue, 21 Jan 1997 19:51:14 PST
From: wiseleo@juno.com (Leonid S Knyshov)
Errors-To: owner-www-security@ns2.rutgers.edu
On Tue, 21 Jan 1997 11:22:52 +0900 darren@factcomm.co.jp (Darren Cook)
writes:
>>I'm wondering what your opinions are about the Front-Page server
>>extensions? I've been asked to look into it for my site, just reading
>the
>>docs now. Any comments are welcome.
>
>I was playing around with it last week.
>I noticed two problems with the bot (ie. built-in cgi functionality)
>that
>puts your comments into a file.
>HTML in and alter the formatting of the message you are giving.
>This can be abused: I put "<!--" at the end of my message. The
>messages I
>put in after that did not appear.
That is what Safe Cgi is all about, we must filter all information to exclude illegal characters such as <>, \n,;, | etc...
If you run that script with no filters on the web server that has SSI
support, you are in the world for _serious_ trouble,
such as <--#exec cmd "rm -rf /" --> (Note: I don't remember the exact SSI
syntax, since it is disabled and I am sure I don't want it enabled.)
Anything after cmd is exec'ed by a shell forked as the UID of the
httpd...
God save you if you run httpd as root in that case...
But, you probably wouldn't be reading this message I guess...
