Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: guestbook script is still vulnerable under apache

From: Lars.Eilebrecht () UNIX-AG ORG (Lars Eilebrecht)
Date: Fri, 26 Jun 1998 02:25:14 +0200

According to Stunt Pope:

[...]

 ...also seems to work. So it seems to me that the vulnerability exists
 because:

         1) It's assumed an attacker will enter a correctly formed SSI
         2) the httpd executes malformed SSI's


IMHO the guestbook script should not try to strip out SSIs, but rather
reject every input which contain the sequence "<!--#".

Apache handles SSI directives as soon as they appear in the document and
doesn't wait for the "-->" ending sequence (By the way, it is possible to use
more than one directive inside a SSI expression,
e.g. <!--#exec cmd="script1.sh" cmd="script2.sh" -->).

If the ending sequence is missing Apache outputs the error message
"premature EOF in parsed file /path/to/file", but IMHO there is no
reason why it shouldn't execute a valid SSI directive.

Exec-SSIs are a security problem itself and one should know about the risks
when enabling them (and enabling them for pages which are generated
from user input, e.g. guestbook pages, is just a stupid idea).


just my $0.02...
--
Lars Eilebrecht                               - Fatal system error:
sfx () unix-ag org                        - no coffee detected; user halted.
http://www.home.unix-ag.org/sfx/
Previous By Date Next
Previous By Thread Next

Current thread: