On Mon, 4 Oct 1999, Blue Boar wrote:
> During my testing of the exploit, I've found that all of these work:
>
> <!--#exec cmd="cat /etc/group"-->
> <!--#exec cmd="cat /etc/group">
> <!--#exec cmd="cat /etc/group"
>
> This works even in the middle of a line of HTML code!
[...]
> Can anyone else verify that their web server behaves similarly, and that I
> haven't configured or compiled something funny? I haven't had time to dig
> into the Apache code yet.
Yeah, that's normal behavior. If mod_include sees a "<!--#", it processes
the directive. After it's done with the directive, it looks for "-->" and
logs a "premature EOF" error if it doesn't find it.
> I suggest that folks look for lines that have <!-- in them, and dump the
> whole line for safety's sake, when writing such scripts. In my brief
> testing, the entire <!-- prefix seemed necessary.
The entire "<!--#" has to be there to trigger a directive handler. Removing
all occurances of "<!--#" from the input is sufficient to neuter all
server-side includes.
$value =~ s/<!--#//g;
- Matt
Received on Oct 08 1999
Intro
