[12473] in bugtraq

home help back first fref pref prev next nref lref last post

Re: Guestbook.pl, sloppy SSI handling in Apache? (VD#2)

daemon@ATHENA.MIT.EDU (Steven Champeon)
Sun Nov 7 19:44:00 1999

X-Received-From: schampeo@hesketh.com
X-Delivered-To: BUGTRAQ@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id:  <Pine.LNX.3.95.991107180956.30994C-100000@wasabi.hesketh.net>
Date:         Sun, 7 Nov 1999 18:20:00 -0500
Reply-To: Steven Champeon <schampeo@HESKETH.COM>
From: Steven Champeon <schampeo@HESKETH.COM>
X-To:         Stephen White <swhite@OX.COMPSOC.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To:  <3824E467.9C95960@ox.compsoc.net>

On Sun, 7 Nov 1999, Stephen White wrote:
> Blue Boar wrote:
> > If you're running the guestbook program, AND you have HTML posting enabled
> > (this is a guestbook configuration option) AND you have SSI enabled for
> > .html files, you are vulnerable.  Other configurations may be vulnerable if
> > customizations have been made, for example modifying the guestbook.pl
> > script to write to guestbook.shtml instead of guestbook.html, and having
> > SSI enabled on .shtml files.
>
> Erm, isn't it standard practise not to enable SSI for .html for exactly
> this sort of reason?

The extension for which SSI parsing is enabled shouldn't make any
difference.  It's very common to enable SSI parsing for .html files
because keeping track of .shtml vs. .html is a useless waste of time, just
like keeping track of .php vs .php3 vs .pl vs .cfm vs .asp is a waste of
time. You don't gain any security by notifying the public that you're
using SSI or PHP, and you sure don't save any time in maintenance if you
migrate from one to the other. There is a lot of time wasted in tracking
down and fixing links to .html files that are now .shtml files just
because you added an #include somewhere, not to mention the difficulty in
asking other folks to change their offsite links.

Let's not confuse the issue at hand.

> When a webdesigner/sysadmin/whoever uses .shtml with CGI enabled they
> need to be aware that they are giving whoever generates the HTML a shell
> prompt, exactly like using the exec() command in a Perl script, etc, and
> the input should be checked accordingly.

No, anyone who enables SSI with EXEC enabled is giving the HTML author a
shell prompt. The difference between CGI and Includes with Exec privs is
quite important. CGI requires that the author have write permissions to
the cgi-bin or .cgi files, but the case above is an (old and boring)
exploit of public write access to files combined with stupid exposure of
those files to abuse via SSI. That's why IncludesNoExec was provided.

> This is not a fault of Apache or even Matt's script, but of it being
> used incompetently.  It's a standard case of if you don't fully
> understand the security implictations don't change the configuration.

Agreed. But it has nothing to do with the choice of extension for SSI
parsing, but with the poor choice of whether to use full SSI or SSI with
exec disabled. (Also with the stupidity of allowing SSI parsing on a
guestbook in the first place, but so long as the exec keyword isn't
parsed, the exposure is merely annoying but not a vulnerability.

Steve
--
Steven Champeon                 v: 919.854.1570
Sr. Technical Consultant        f: 919.854.1579
hesketh.com/inc.                w: hesketh.com

home help back first fref pref prev next nref lref last post