OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq archives for 2nd quarter (Apr-Jun) 1998: Re: guestbook script is still vulnerable under apache

Re: guestbook script is still vulnerable under apache

Lars Eilebrecht (Lars.EilebrechtUNIX-AG.ORG)
Fri, 26 Jun 1998 02:25:14 +0200 

According to Stunt Pope:

[...]
>  ...also seems to work. So it seems to me that the vulnerability exists
>  because:
>
>          1) It's assumed an attacker will enter a correctly formed SSI
>          2) the httpd executes malformed SSI's

IMHO the guestbook script should not try to strip out SSIs, but rather
reject every input which contain the sequence "<!--#".

Apache handles SSI directives as soon as they appear in the document and
doesn't wait for the "-->" ending sequence (By the way, it is possible to use
more than one directive inside a SSI expression,
e.g. <!--#exec cmd="script1.sh" cmd="script2.sh" -->).

If the ending sequence is missing Apache outputs the error message
"premature EOF in parsed file /path/to/file", but IMHO there is no
reason why it shouldn't execute a valid SSI directive.

Exec-SSIs are a security problem itself and one should know about the risks
when enabling them (and enabling them for pages which are generated
from user input, e.g. guestbook pages, is just a stupid idea).


just my $0.02...
--
Lars Eilebrecht                               - Fatal system error:
sfxunix-ag.org                        - no coffee detected; user halted.
http://www.home.unix-ag.org/sfx/