[12471] in bugtraq
Re: Guestbook.pl, sloppy SSI handling in Apache? (VD#2)
daemon@ATHENA.MIT.EDU (Stephen White)
Sun Nov 7 18:16:03 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <3824E467.9C95960@ox.compsoc.net>
Date: Sun, 7 Nov 1999 02:31:03 +0000
Reply-To: Stephen White <swhite@OX.COMPSOC.NET>
From: Stephen White <swhite@OX.COMPSOC.NET>
X-To: Blue Boar <BlueBoar@THIEVCO.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Blue Boar wrote:
> If you're running the guestbook program, AND you have HTML posting enabled
> (this is a guestbook configuration option) AND you have SSI enabled for
> .html files, you are vulnerable. Other configurations may be vulnerable if
> customizations have been made, for example modifying the guestbook.pl
> script to write to guestbook.shtml instead of guestbook.html, and having
> SSI enabled on .shtml files.
Erm, isn't it standard practise not to enable SSI for .html for exactly
this sort of reason? When a webdesigner/sysadmin/whoever uses .shtml
with CGI enabled they need to be aware that they are giving whoever
generates the HTML a shell prompt, exactly like using the exec() command
in a Perl script, etc, and the input should be checked accordingly.
This is not a fault of Apache or even Matt's script, but of it being
used incompetently. It's a standard case of if you don't fully
understand the security implictations don't change the configuration.
BTW, I have lots of .shtml of the form <a href="someurl"><!--#include
virtual="randimg.pl"--></a> and I certainly expect apache to run it.
This is the correct behaviour.
--
Stephen White <swhite@ox.compsoc.net>
