Bugtraq mailing list archives
guestbook script is still vulnerable under apache
From: markjr () shmOOze net (Stunt Pope)
Date: Thu, 25 Jun 1998 15:07:41 -0400
Due to what looks to me to be a bug in certain webservers handling of malformed SSI tags, I believe I've found a potential vulnerability in the guestbook script at Matt Wright's archive. Basically, it is still possible to use the SSI method of attack provided certain conditions are met: 1) $allow_html is turned on (which it is by default) 2) whatever file holds the messages (guestbook.html) is server parsed 3) the web server executes a malformed SSI The script attempts to strip out SSI's with the following regex: $value =~ s/<!--(.|\n)*-->//g; Which is fairly easily circumvented by entering: <!--#exec cmd="/bin/cat /etc/passwd"-> It seems to me that if the resultant page is server parsed, the server (I'm testing this on Apache 1.2.6) will happily execute the SSI. In fact it will do it in the absence of a closing tag altogether it seems. <!--#exec cmd="/bin/cat /etc/passwd" ...also seems to work. So it seems to me that the vulnerability exists because: 1) It's assumed an attacker will enter a correctly formed SSI 2) the httpd executes malformed SSI's -mark --- Mark Jeftovic aka: mark jeff or vic, stunt pope. markjr () shmOOze net http://www.shmOOze.net/~markjr Private World's BOFH http://www.PrivateWorld.com irc: L-bOMb Keep `em Guessing
Current thread:
- Yipes named attack, (continued)
- Yipes named attack Anonymous (Jun 24)
- security hole in mailx Alvaro Martinez Echevarria (Jun 24)
- Re: security hole in mailx gold (Jun 25)
- Re: security hole in mailx Casper Dik (Jun 25)
- Bug is sudo? Rhodie (Jun 25)
- Re: Bug is sudo? Warner Losh (Jun 26)
- Re: Bug is sudo? Todd C. Miller (Jun 27)
- Re: security hole in mailx Alvaro Martinez Echevarria (Jun 25)
- Re: security hole in mailx Ben Collins (Jun 25)
- Re: security hole in mailx Theo de Raadt (Jun 25)
- guestbook script is still vulnerable under apache Stunt Pope (Jun 25)
- Re: guestbook script is still vulnerable under apache Theo Van Dinter (Jun 25)
- Re: guestbook script is still vulnerable under apache Andru Luvisi (Jun 25)
- Re: guestbook script is still vulnerable under apache Lincoln Stein (Jun 26)
- dip-3.3.7p exploit (stackpatch_ Thomas Troeger (Jun 26)
- And another qpopper overflow (does this make 3?) Aaron D. Gifford (Jun 28)
- Re: dip-3.3.7p exploit (stackpatch_ M.C.Mar (Jun 28)
- WIPO Bill Aleph One (Jun 25)
- Re: guestbook script is still vulnerable under apache Dean Gaudet (Jun 25)
- Re: guestbook script is still vulnerable under apache Lars Eilebrecht (Jun 25)
- Re: guestbook script is still vulnerable under apache Andrew Clegg (Jun 26)