Vulnerability Development mailing list archives

Re: Guestbook perl script (error fix)

From: eparker () MINDSEC COM (Erik Parker)
Date: Fri, 8 Oct 1999 10:10:10 -0600


True, but you can not be reckless with your SSI's anyway,
and even allowing them. In apache, you should only be allowing
SSI's on the directories they are going to be run in.. Never
the entire site, unless the ENTIRE site will be using them.

I've seen first hand, people who auto-upate their sites, but
getting a headers file.. or something.. like the security
focus news that other people carry.. any tons of other people..

When people are polling it, if you insert an SSI to cat files
or run programs, it will grab that file and execute it. That
says more than a little, it says they have SSI enabled for that directory,
or the entire site, and it is defaulting to chmod +x the file..

Another good way to make sure you aren't running these SSI's (with apache
anyway), don't set that x bit on your text files. :)

On Fri, 8 Oct 1999, Matt Carothers wrote:

On Mon, 4 Oct 1999, Blue Boar wrote:

During my testing of the exploit, I've found that all of these work:

<!--#exec cmd="cat /etc/group"-->
<!--#exec cmd="cat /etc/group">
<!--#exec cmd="cat /etc/group"

This works even in the middle of a line of HTML code!

[...]

Can anyone else verify that their web server behaves similarly, and that I
haven't configured or compiled something funny?  I haven't had time to dig
into the Apache code yet.


Yeah, that's normal behavior.  If mod_include sees a "<!--#", it processes
the directive.  After it's done with the directive, it looks for "-->" and
logs a "premature EOF" error if it doesn't find it.

I suggest that folks look for lines that have <!-- in them, and dump the
whole line for safety's sake, when writing such scripts.  In my brief
testing, the entire <!-- prefix seemed necessary.


The entire "<!--#" has to be there to trigger a directive handler.  Removing
all occurances of "<!--#" from the input is sufficient to neuter all
server-side includes.

$value =~ s/<!--#//g;

- Matt


Erik Parker
eparker () mindsec com

Current thread:

Re: Guestbook perl script (error fix) Blue Boar (Oct 04)
- Re: Guestbook perl script (error fix) Matt Carothers (Oct 08)
  - Newbie in Jeopardy Me Uh, K. (Oct 06)
    - Re: Newbie in Jeopardy Nimrod Vered (Oct 09)
  - Re: Guestbook perl script (error fix) Erik Parker (Oct 08)
  - SSH and X11 forwarding Rob Quinn (Oct 08)
  - fbsd 3.3 ospf_monitor research Brock Tellier (Oct 08)
    - Re: fbsd 3.3 ospf_monitor research Jeff Bachtel (Oct 10)
    - Re: fbsd 3.3 ospf_monitor research Andrew Reiter (Oct 11)
    - restoretextmode problems robert (Oct 11)
  - NT SysKey should be breakable Mikael Olsson (Oct 08)
    - Re: NT SysKey should be breakable Mikael Olsson (Oct 09)
    - 2 dodgy network programs Antonomasia (Oct 09)
    - Re: 2 dodgy network programs Nick 'Zaf' Clifford (Oct 09)
    - Re: 2 dodgy network programs David R. Conrad (Oct 13)

(Thread continues...)