[7034] in bugtraq
Re: guestbook script is still vulnerable under apache
daemon@ATHENA.MIT.EDU (Andru Luvisi)
Thu Jun 25 22:18:09 1998
Date: Thu, 25 Jun 1998 15:59:26 -0700
Reply-To: Andru Luvisi <luvisi@andru.sonoma.edu>
From: Andru Luvisi <luvisi@ANDRU.SONOMA.EDU>
X-To: Theo Van Dinter <felicity@KLUGE.NET>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199806252019.QAA24501@eclectic.kluge.net>
On Thu, 25 Jun 1998, Theo Van Dinter wrote:
[snip]
> I don't use the program in question so I can't pass this on to the author, but
> here is a replacement for that "bad" line that will handle all (to my
> knowledge) SSI's including malformed ones:
>
> $value=~s{
> <! # Comments start with <!
> ([^<>]|<[^<>]+>)* # Remove anything in between, including
> # the non-spec'ed included tags ...
> > # End of the comment.
> }{}gsx; # Replace with Nothing
>
>
> This replaces <! ... >, including "not correct" commented-out tags.
> Works great in a little web spider I wrote.
I'm not convinced this is a complete solution:
andru:~$ cat sub.pl
#!/usr/bin/perl -p
s{
<! # Comments start with <!
([^<>]|<[^<>]+>)* # Remove anything in between, including
# the non-spec'ed included tags ...
> # End of the comment.
}{}gsx; # Replace with Nothing
andru:~$ perl sub.pl
<<!>!--#exec #cmd="/bin/echo foo">
<!--#exec #cmd="/bin/echo foo">
andru:~$
perhaps something like:
while($value =~ /<!/) {
...
}
would be better...
though I agree that the "correct" solution is to simply configure your
server so that it doesn't parse the guestbook.
andru
