Bugtraq mailing list archives
Re: Guestbook.pl, sloppy SSI handling in Apache? (VD#2)
From: swhite () OX COMPSOC NET (Stephen White)
Date: Sun, 7 Nov 1999 02:31:03 +0000
Blue Boar wrote:
If you're running the guestbook program, AND you have HTML posting enabled (this is a guestbook configuration option) AND you have SSI enabled for .html files, you are vulnerable. Other configurations may be vulnerable if customizations have been made, for example modifying the guestbook.pl script to write to guestbook.shtml instead of guestbook.html, and having SSI enabled on .shtml files.
Erm, isn't it standard practise not to enable SSI for .html for exactly this sort of reason? When a webdesigner/sysadmin/whoever uses .shtml with CGI enabled they need to be aware that they are giving whoever generates the HTML a shell prompt, exactly like using the exec() command in a Perl script, etc, and the input should be checked accordingly. This is not a fault of Apache or even Matt's script, but of it being used incompetently. It's a standard case of if you don't fully understand the security implictations don't change the configuration. BTW, I have lots of .shtml of the form <a href="someurl"><!--#include virtual="randimg.pl"--></a> and I certainly expect apache to run it. This is the correct behaviour. -- Stephen White <swhite () ox compsoc net>
Current thread:
- Guestbook.pl, sloppy SSI handling in Apache? (VD#2) Blue Boar (Nov 05)
- Re: Guestbook.pl, sloppy SSI handling in Apache? (VD#2) Marc Slemko (Nov 06)
- Re: Guestbook.pl, sloppy SSI handling in Apache? (VD#2) Ben Laurie (Nov 06)
- Re: Guestbook.pl, sloppy SSI handling in Apache? (VD#2) Stephen White (Nov 06)
- Re: Guestbook.pl, sloppy SSI handling in Apache? (VD#2) Steven Champeon (Nov 07)
- Patch for VirusWall 3.23. dark spyrit (Nov 07)
- Netscape Web Publisher Tim Jones (Nov 06)
- Re: Netscape Web Publisher Mnemonix (Nov 07)
- Re: Netscape Web Publisher nblasgen () NICK REFRACT COM (Nov 07)
- vwxploit.c unix port Sebastian (Nov 08)
- Windows NT Spooler Service. Avri Schneider (Nov 07)
- [w00giving '99 #2] IMAIL POP server Shok (Nov 07)
- Re: Guestbook.pl, sloppy SSI handling in Apache? (VD#2) Blue Boar (Nov 07)
- Re: Guestbook.pl, sloppy SSI handling in Apache? (VD#2) Jefferson Ogata (Nov 08)
(Thread continues...)