Home page logo

bugtraq logo Bugtraq mailing list archives

Re: guestbook script is still vulnerable under apache
From: Lars.Eilebrecht () UNIX-AG ORG (Lars Eilebrecht)
Date: Fri, 26 Jun 1998 02:25:14 +0200

According to Stunt Pope:

 ...also seems to work. So it seems to me that the vulnerability exists

         1) It's assumed an attacker will enter a correctly formed SSI
         2) the httpd executes malformed SSI's

IMHO the guestbook script should not try to strip out SSIs, but rather
reject every input which contain the sequence "<!--#".

Apache handles SSI directives as soon as they appear in the document and
doesn't wait for the "-->" ending sequence (By the way, it is possible to use
more than one directive inside a SSI expression,
e.g. <!--#exec cmd="script1.sh" cmd="script2.sh" -->).

If the ending sequence is missing Apache outputs the error message
"premature EOF in parsed file /path/to/file", but IMHO there is no
reason why it shouldn't execute a valid SSI directive.

Exec-SSIs are a security problem itself and one should know about the risks
when enabling them (and enabling them for pages which are generated
from user input, e.g. guestbook pages, is just a stupid idea).

just my $0.02...
Lars Eilebrecht                               - Fatal system error:
sfx () unix-ag org                        - no coffee detected; user halted.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]