|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
guestbook script is still vulnerable under apache
Stunt Pope (markjr
shmOOze.net)Thu, 25 Jun 1998 15:07:41 -0400
- Messages sorted by: [ date ][ thread ][ subject ][ author ]
- Next message: Chris Adams: "Re: security hole in mailx"
- Previous message: Theo de Raadt: "Re: security hole in mailx"
- Next in thread: Dean Gaudet: "Re: guestbook script is still vulnerable under apache"
Due to what looks to me to be a bug in certain webservers handling of
malformed SSI tags, I believe I've found a potential vulnerability in the
guestbook script at Matt Wright's archive.
Basically, it is still possible to use the SSI method of attack provided
certain conditions are met:
1) $allow_html is turned on (which it is by default)
2) whatever file holds the messages (guestbook.html) is
server parsed
3) the web server executes a malformed SSI
The script attempts to strip out SSI's with the following regex:
$value =~ s/<!--(.|\n)*-->//g;
Which is fairly easily circumvented by entering:
<!--#exec cmd="/bin/cat /etc/passwd"->
It seems to me that if the resultant page is server parsed, the server
(I'm testing this on Apache 1.2.6) will happily execute the SSI. In fact
it will do it in the absence of a closing tag altogether it seems.
<!--#exec cmd="/bin/cat /etc/passwd"
...also seems to work. So it seems to me that the vulnerability exists
because:
1) It's assumed an attacker will enter a correctly formed SSI
2) the httpd executes malformed SSI's
-mark
---
Mark Jeftovic aka: mark jeff or vic, stunt pope.
markjrshmOOze.net http://www.shmOOze.net/~markjr
Private World's BOFH http://www.PrivateWorld.com
irc: L-bOMb Keep `em Guessing
- Next message: Chris Adams: "Re: security hole in mailx"
- Previous message: Theo de Raadt: "Re: security hole in mailx"
- Next in thread: Dean Gaudet: "Re: guestbook script is still vulnerable under apache"