Vulnerability Development mailing list archives
Re: Guestbook perl script (error fix)
From: eparker () MINDSEC COM (Erik Parker)
Date: Fri, 8 Oct 1999 10:10:10 -0600
True, but you can not be reckless with your SSI's anyway, and even allowing them. In apache, you should only be allowing SSI's on the directories they are going to be run in.. Never the entire site, unless the ENTIRE site will be using them. I've seen first hand, people who auto-upate their sites, but getting a headers file.. or something.. like the security focus news that other people carry.. any tons of other people.. When people are polling it, if you insert an SSI to cat files or run programs, it will grab that file and execute it. That says more than a little, it says they have SSI enabled for that directory, or the entire site, and it is defaulting to chmod +x the file.. Another good way to make sure you aren't running these SSI's (with apache anyway), don't set that x bit on your text files. :) On Fri, 8 Oct 1999, Matt Carothers wrote:
On Mon, 4 Oct 1999, Blue Boar wrote:During my testing of the exploit, I've found that all of these work: <!--#exec cmd="cat /etc/group"--> <!--#exec cmd="cat /etc/group"> <!--#exec cmd="cat /etc/group" This works even in the middle of a line of HTML code![...]Can anyone else verify that their web server behaves similarly, and that I haven't configured or compiled something funny? I haven't had time to dig into the Apache code yet.Yeah, that's normal behavior. If mod_include sees a "<!--#", it processes the directive. After it's done with the directive, it looks for "-->" and logs a "premature EOF" error if it doesn't find it.I suggest that folks look for lines that have <!-- in them, and dump the whole line for safety's sake, when writing such scripts. In my brief testing, the entire <!-- prefix seemed necessary.The entire "<!--#" has to be there to trigger a directive handler. Removing all occurances of "<!--#" from the input is sufficient to neuter all server-side includes. $value =~ s/<!--#//g; - Matt
Erik Parker eparker () mindsec com
Current thread:
- Re: Guestbook perl script (error fix) Blue Boar (Oct 04)
- Re: Guestbook perl script (error fix) Matt Carothers (Oct 08)
- Newbie in Jeopardy Me Uh, K. (Oct 06)
- Re: Newbie in Jeopardy Nimrod Vered (Oct 09)
- Re: Guestbook perl script (error fix) Erik Parker (Oct 08)
- SSH and X11 forwarding Rob Quinn (Oct 08)
- fbsd 3.3 ospf_monitor research Brock Tellier (Oct 08)
- Re: fbsd 3.3 ospf_monitor research Jeff Bachtel (Oct 10)
- Re: fbsd 3.3 ospf_monitor research Andrew Reiter (Oct 11)
- restoretextmode problems robert (Oct 11)
- Newbie in Jeopardy Me Uh, K. (Oct 06)
- NT SysKey should be breakable Mikael Olsson (Oct 08)
- Re: NT SysKey should be breakable Mikael Olsson (Oct 09)
- 2 dodgy network programs Antonomasia (Oct 09)
- Re: 2 dodgy network programs Nick 'Zaf' Clifford (Oct 09)
- Re: 2 dodgy network programs David R. Conrad (Oct 13)
- Re: Guestbook perl script (error fix) Matt Carothers (Oct 08)