Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Guestbook.pl, sloppy SSI handling in Apache? (VD#2)

From: jogata () NODC NOAA GOV (Jefferson Ogata)
Date: Mon, 8 Nov 1999 12:30:11 -0500

Ben Laurie wrote:


[Snippage has occurred]

Blue Boar wrote:

The format of the SSI command entered is as follows:

<!--#exec cmd="cat /etc/group"

You should place this command (or other desired command) somewhere in the
comments.

The format of the command is part of the problem, and why I'm thinking
there may be some sloppiness in Apache.  It appears that there is an
assumption that SSI commands tend to be on lines by themselves, and are of
the format:

<!--# (SSI command) -->

In my testing with the most recent Apache at the time (1.3.9) I found it
took any of the following:

<!--#exec cmd="cat /etc/group"-->
<!--#exec cmd="cat /etc/group">
<!--#exec cmd="cat /etc/group"

It also didn't seem to matter that it was in the middle of a line of HTML.

I'm actually a bit more worried about how many other scripts make this
assumption, and how long Apache has been making that be a bad assumption.


Apache doesn't make a bad assumption. If you don't want SSIs executing
stuff, you shouldn't enable it.

Cheers,

Ben.


Or you should enable it using the IncludesNOEXEC option rather than the simple
Includes option.

--
Jefferson Ogata <jogata () nodc noaa gov> National Oceanographic Data Center
You can't step into the same river twice. -- Herakleitos
Previous By Date Next
Previous By Thread Next

Current thread: