mailing list archives
Re: guestbook script is still vulnerable under apache
From: Lars.Eilebrecht () UNIX-AG ORG (Lars Eilebrecht)
Date: Fri, 26 Jun 1998 02:25:14 +0200
According to Stunt Pope:
...also seems to work. So it seems to me that the vulnerability exists
1) It's assumed an attacker will enter a correctly formed SSI
2) the httpd executes malformed SSI's
IMHO the guestbook script should not try to strip out SSIs, but rather
reject every input which contain the sequence "<!--#".
Apache handles SSI directives as soon as they appear in the document and
doesn't wait for the "-->" ending sequence (By the way, it is possible to use
more than one directive inside a SSI expression,
e.g. <!--#exec cmd="script1.sh" cmd="script2.sh" -->).
If the ending sequence is missing Apache outputs the error message
"premature EOF in parsed file /path/to/file", but IMHO there is no
reason why it shouldn't execute a valid SSI directive.
Exec-SSIs are a security problem itself and one should know about the risks
when enabling them (and enabling them for pages which are generated
from user input, e.g. guestbook pages, is just a stupid idea).
just my $0.02...
Lars Eilebrecht - Fatal system error:
sfx () unix-ag org - no coffee detected; user halted.