Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: guestbook script is still vulnerable under apache
From: luvisi () andru sonoma edu (Andru Luvisi)
Date: Thu, 25 Jun 1998 15:59:26 -0700


On Thu, 25 Jun 1998, Theo Van Dinter wrote:
[snip]
I don't use the program in question so I can't pass this on to the author, but
here is a replacement for that "bad" line that will handle all (to my
knowledge) SSI's including malformed ones:

    $value=~s{
        <!                  # Comments start with <!
        ([^<>]|<[^<>]+>)*   # Remove anything in between, including
                            # the non-spec'ed included tags ...
        >                   # End of the comment.
    }{}gsx;                 # Replace with Nothing


This replaces <! ... >, including "not correct" commented-out tags.
Works great in a little web spider I wrote.

I'm not convinced this is a complete solution:
andru:~$ cat sub.pl
#!/usr/bin/perl -p

     s{
         <!                  # Comments start with <!
         ([^<>]|<[^<>]+>)*   # Remove anything in between, including
                             # the non-spec'ed included tags ...
         >                   # End of the comment.
     }{}gsx;                 # Replace with Nothing


andru:~$ perl sub.pl
<<!>!--#exec #cmd="/bin/echo foo">
<!--#exec #cmd="/bin/echo foo">
andru:~$


perhaps something like:
 while($value =~ /<!/) {
   ...
 }

would be better...

though I agree that the "correct" solution is to simply configure your
server so that it doesn't parse the guestbook.

andru



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]