Re: Guestbook.pl, sloppy SSI handling in Apache? (VD#2)

[swhite () OX COMPSOC NET (Stephen White)]

Blue Boar wrote:
> If you're running the guestbook program, AND you have HTML posting enabled
> (this is a guestbook configuration option) AND you have SSI enabled for
> .html files, you are vulnerable.  Other configurations may be vulnerable if
> customizations have been made, for example modifying the guestbook.pl
> script to write to guestbook.shtml instead of guestbook.html, and having
> SSI enabled on .shtml files.

Erm, isn't it standard practise not to enable SSI for .html for exactly
this sort of reason?  When a webdesigner/sysadmin/whoever uses .shtml
with CGI enabled they need to be aware that they are giving whoever
generates the HTML a shell prompt, exactly like using the exec() command
in a Perl script, etc, and the input should be checked accordingly.

This is not a fault of Apache or even Matt's script, but of it being
used incompetently.  It's a standard case of if you don't fully
understand the security implictations don't change the configuration.

BTW, I have lots of .shtml of the form <a href="someurl"><!--#include
virtual="randimg.pl"--></a> and I certainly expect apache to run it.
This is the correct behaviour.

--
Stephen White <swhite () ox compsoc net>