Bugtraq mailing list archives
Re: guestbook script is still vulnerable under apache
From: luvisi () andru sonoma edu (Andru Luvisi)
Date: Thu, 25 Jun 1998 15:59:26 -0700
On Thu, 25 Jun 1998, Theo Van Dinter wrote: [snip]
I don't use the program in question so I can't pass this on to the author, but here is a replacement for that "bad" line that will handle all (to my knowledge) SSI's including malformed ones: $value=~s{ <! # Comments start with <! ([^<>]|<[^<>]+>)* # Remove anything in between, including # the non-spec'ed included tags ... > # End of the comment. }{}gsx; # Replace with Nothing This replaces <! ... >, including "not correct" commented-out tags. Works great in a little web spider I wrote.
I'm not convinced this is a complete solution: andru:~$ cat sub.pl #!/usr/bin/perl -p s{ <! # Comments start with <! ([^<>]|<[^<>]+>)* # Remove anything in between, including # the non-spec'ed included tags ... > # End of the comment. }{}gsx; # Replace with Nothing andru:~$ perl sub.pl <<!>!--#exec #cmd="/bin/echo foo"> <!--#exec #cmd="/bin/echo foo"> andru:~$ perhaps something like: while($value =~ /<!/) { ... } would be better... though I agree that the "correct" solution is to simply configure your server so that it doesn't parse the guestbook. andru
Current thread:
- Re: security hole in mailx, (continued)
- Re: security hole in mailx gold (Jun 25)
- Re: security hole in mailx Casper Dik (Jun 25)
- Bug is sudo? Rhodie (Jun 25)
- Re: Bug is sudo? Warner Losh (Jun 26)
- Re: Bug is sudo? Todd C. Miller (Jun 27)
- Re: security hole in mailx Alvaro Martinez Echevarria (Jun 25)
- Re: security hole in mailx Ben Collins (Jun 25)
- Re: security hole in mailx Theo de Raadt (Jun 25)
- guestbook script is still vulnerable under apache Stunt Pope (Jun 25)
- Re: guestbook script is still vulnerable under apache Theo Van Dinter (Jun 25)
- Re: guestbook script is still vulnerable under apache Andru Luvisi (Jun 25)
- Re: guestbook script is still vulnerable under apache Lincoln Stein (Jun 26)
- dip-3.3.7p exploit (stackpatch_ Thomas Troeger (Jun 26)
- And another qpopper overflow (does this make 3?) Aaron D. Gifford (Jun 28)
- Re: dip-3.3.7p exploit (stackpatch_ M.C.Mar (Jun 28)
- WIPO Bill Aleph One (Jun 25)
- Re: guestbook script is still vulnerable under apache Dean Gaudet (Jun 25)
- Re: guestbook script is still vulnerable under apache Lars Eilebrecht (Jun 25)
- Re: guestbook script is still vulnerable under apache Andrew Clegg (Jun 26)
- Re: security hole in mailx Seth McGann (Jun 25)