Guestbook.pl, sloppy SSI handling in Apache? (VD#2)

[BlueBoar () THIEVCO COM (Blue Boar)]

-------------------------------------------------------------------
Periodically, the moderator of of the vuln-dev mailing list will post
summaries of issues discussed there to Bugtraq and possibly other relevant
lists.  This will usually happen when an issue has been resolved, or it
appears that there will be no further discussion on vuln-dev.  Each
separate issue will be given it's own posting to facilitate referencing
them separately, for discussion, forwarding, or appearance in vulnerability
databases.

To subscribe to vuln-dev, send an e-mail to listserv () securityfocus com,
with the word SUBSCRIBE in the body of the message.

A FAQ and archive can be found at www.securityfocus.com-->forums-->vuln-dev
(click on these sections, the web pages are forms-based.)
-------------------------------------------------------------------

There exists a vulnerability in the guestbook CGI program from Matt's
Archive:

http://www.worldwidemart.com/scripts/guestbook.shtml

Given a particular set of configuration options (see below) it is possible
for anyone to enter Server-Side Include (SSI) commands via the guestbook
script.  Matt was mailed, and I received no response.  However, the script
is open-source, and the fix should be easy.

If you're running the guestbook program, AND you have HTML posting enabled
(this is a guestbook configuration option) AND you have SSI enabled for
.html files, you are vulnerable.  Other configurations may be vulnerable if
customizations have been made, for example modifying the guestbook.pl
script to write to guestbook.shtml instead of guestbook.html, and having
SSI enabled on .shtml files.

Here's the vulnerability:  When leaving a guestbook entry, type in some SSI
code.  The SSI capabilities are powerful, and include the ability (for
example) to read any file the web server process has rights to, or execute
arbitrary shell commands.  The results will be "posted" to the guestbook
for all to see.  It makes a great HTTP shell.

The format of the SSI command entered is as follows:

<!--#exec cmd="cat /etc/group"

You should place this command (or other desired command) somewhere in the
comments.

The format of the command is part of the problem, and why I'm thinking
there may be some sloppiness in Apache.  It appears that there is an
assumption that SSI commands tend to be on lines by themselves, and are of
the format:

<!--# (SSI command) -->

In my testing with the most recent Apache at the time (1.3.9) I found it
took any of the following:

<!--#exec cmd="cat /etc/group"-->
<!--#exec cmd="cat /etc/group">
<!--#exec cmd="cat /etc/group"

It also didn't seem to matter that it was in the middle of a line of HTML.

Here's the problem line from the guestbook.pl script:

$value =~ s/<!--(.|\n)*-->//g;

As you can see, there is an assumption that SSI commands always end in -->
.  It ought to be easy for a RegEx expert to post a working substitute, so
please do.  (I'm not a RegEx expert, and I didn't get a firm fix.)  Users
ought to be able to patch themselves.

I'm actually a bit more worried about how many other scripts make this
assumption, and how long Apache has been making that be a bad assumption.

Search engines ought to make it easy to find potentially vulnerable hosts.
A script to test for it would be relatively easy as well, so if you use the
guestbook, be sure to patch it quickly.

Does this sound like this set of circumstances would be rare?  Perhaps, but
I found that the web hosting service that my site ( http://www.thievco.com
) lives on forces guestbook.pl on it's clients, via a shared cgi-bin
directory.  And yes, by reviewing the httpd.conf, I can see that some
virtual sites have SSI enabled for .html.

There is (IMNSHO) a very interesting thread on this topic in the vuln-dev
archives for those who want to see all the parties involved in finding this
bug, and the thought process behind it, starting on September 13, 1999.

                                                BB