[4080] in WWW Security List Archive
Re: Front-Page extensions?
daemon@ATHENA.MIT.EDU (bracha@eye-on.co.il)
Sun Jan 26 14:47:37 1997
From: bracha@eye-on.co.il
Date: Sun, 26 Jan 1997 19:54:07 +0200
To: Leonid S Knyshov <wiseleo@juno.com>
CC: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
Leonid S Knyshov wrote:
>
> On Tue, 21 Jan 1997 11:22:52 +0900 darren@factcomm.co.jp (Darren Cook)
> writes:
> >>I'm wondering what your opinions are about the Front-Page server
> >>extensions? I've been asked to look into it for my site, just reading
> >the
> >>docs now. Any comments are welcome.
> >
> >I was playing around with it last week.
> >I noticed two problems with the bot (ie. built-in cgi functionality)
> >that
> >puts your comments into a file.
> >HTML in and alter the formatting of the message you are giving.
> >This can be abused: I put "<!--" at the end of my message. The
> >messages I
> >put in after that did not appear.
>
> That is what Safe Cgi is all about, we must filter all information to exclude illegal characters such as <>, \n,;, | etc...
>
> If you run that script with no filters on the web server that has SSI
> support, you are in the world for _serious_ trouble,
> such as <--#exec cmd "rm -rf /" --> (Note: I don't remember the exact SSI
> syntax, since it is disabled and I am sure I don't want it enabled.)
>
> Anything after cmd is exec'ed by a shell forked as the UID of the
> httpd...
>
> God save you if you run httpd as root in that case...
>
> But, you probably wouldn't be reading this message I guess...
Take me off this dumb list!!!!!Take me off this dumb list!!!!!Take me
off this dumb list!!!!!Take me off this dumb list!!!!!Take me off this
dumb list!!!!!
