[12486] in bugtraq
Re: Guestbook.pl, sloppy SSI handling in Apache? (VD#2)
daemon@ATHENA.MIT.EDU (Jefferson Ogata)
Tue Nov 9 11:08:03 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <382708A3.E8ACB7CA@nodc.noaa.gov>
Date: Mon, 8 Nov 1999 12:30:11 -0500
Reply-To: jogata@NODC.NOAA.GOV
From: Jefferson Ogata <jogata@NODC.NOAA.GOV>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
Ben Laurie wrote:
>
> [Snippage has occurred]
>
> Blue Boar wrote:
> > The format of the SSI command entered is as follows:
> >
> > <!--#exec cmd="cat /etc/group"
> >
> > You should place this command (or other desired command) somewhere in the
> > comments.
> >
> > The format of the command is part of the problem, and why I'm thinking
> > there may be some sloppiness in Apache. It appears that there is an
> > assumption that SSI commands tend to be on lines by themselves, and are of
> > the format:
> >
> > <!--# (SSI command) -->
> >
> > In my testing with the most recent Apache at the time (1.3.9) I found it
> > took any of the following:
> >
> > <!--#exec cmd="cat /etc/group"-->
> > <!--#exec cmd="cat /etc/group">
> > <!--#exec cmd="cat /etc/group"
> >
> > It also didn't seem to matter that it was in the middle of a line of HTML.
> >
> > I'm actually a bit more worried about how many other scripts make this
> > assumption, and how long Apache has been making that be a bad assumption.
>
> Apache doesn't make a bad assumption. If you don't want SSIs executing
> stuff, you shouldn't enable it.
>
> Cheers,
>
> Ben.
Or you should enable it using the IncludesNOEXEC option rather than the simple
Includes option.
--
Jefferson Ogata <jogata@nodc.noaa.gov> National Oceanographic Data Center
You can't step into the same river twice. -- Herakleitos
