[7033] in bugtraq
Re: guestbook script is still vulnerable under apache
daemon@ATHENA.MIT.EDU (Lars Eilebrecht)
Thu Jun 25 22:05:32 1998
Date: Fri, 26 Jun 1998 02:25:14 +0200
Reply-To: Lars.Eilebrecht@UNIX-AG.ORG
From: Lars Eilebrecht <Lars.Eilebrecht@UNIX-AG.ORG>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <XFMail.980625150741.markjr@shmOOze.net>
According to Stunt Pope:
[...]
> ...also seems to work. So it seems to me that the vulnerability exists
> because:
>
> 1) It's assumed an attacker will enter a correctly formed SSI
> 2) the httpd executes malformed SSI's
IMHO the guestbook script should not try to strip out SSIs, but rather
reject every input which contain the sequence "<!--#".
Apache handles SSI directives as soon as they appear in the document and
doesn't wait for the "-->" ending sequence (By the way, it is possible to use
more than one directive inside a SSI expression,
e.g. <!--#exec cmd="script1.sh" cmd="script2.sh" -->).
If the ending sequence is missing Apache outputs the error message
"premature EOF in parsed file /path/to/file", but IMHO there is no
reason why it shouldn't execute a valid SSI directive.
Exec-SSIs are a security problem itself and one should know about the risks
when enabling them (and enabling them for pages which are generated
from user input, e.g. guestbook pages, is just a stupid idea).
just my $0.02...
--
Lars Eilebrecht - Fatal system error:
sfx@unix-ag.org - no coffee detected; user halted.
http://www.home.unix-ag.org/sfx/
