[12467] in bugtraq
Re: Guestbook.pl, sloppy SSI handling in Apache? (VD#2)
daemon@ATHENA.MIT.EDU (Ben Laurie)
Sat Nov 6 17:26:11 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <38247969.FA372692@algroup.co.uk>
Date: Sat, 6 Nov 1999 18:54:33 +0000
Reply-To: Ben Laurie <ben@ALGROUP.CO.UK>
From: Ben Laurie <ben@ALGROUP.CO.UK>
X-To: Blue Boar <BlueBoar@THIEVCO.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
[Snippage has occurred]
Blue Boar wrote:
> The format of the SSI command entered is as follows:
>
> <!--#exec cmd="cat /etc/group"
>
> You should place this command (or other desired command) somewhere in the
> comments.
>
> The format of the command is part of the problem, and why I'm thinking
> there may be some sloppiness in Apache. It appears that there is an
> assumption that SSI commands tend to be on lines by themselves, and are of
> the format:
>
> <!--# (SSI command) -->
>
> In my testing with the most recent Apache at the time (1.3.9) I found it
> took any of the following:
>
> <!--#exec cmd="cat /etc/group"-->
> <!--#exec cmd="cat /etc/group">
> <!--#exec cmd="cat /etc/group"
>
> It also didn't seem to matter that it was in the middle of a line of HTML.
>
> I'm actually a bit more worried about how many other scripts make this
> assumption, and how long Apache has been making that be a bad assumption.
Apache doesn't make a bad assumption. If you don't want SSIs executing
stuff, you shouldn't enable it.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html
"My grandfather once told me that there are two kinds of people: those
who work and those who take the credit. He told me to try to be in the
first group; there was less competition there."
- Indira Gandhi
