|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Guestbook perl script (error fix)
Erik Parker (eparker
MINDSEC.COM)
Fri, 8 Oct 1999 10:10:10 -0600
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
- Next message: Mikael Olsson: "NT SysKey should be breakable"
- Previous message: Erik Parker: "Re: Window manager - implementation bug/feature ???"
- In reply to: Michael Jennings: "Re: Window manager - implementation bug/feature ???"
- Next in thread: Vincent Zweije: "Re: Guestbook perl script (error fix)"
True, but you can not be reckless with your SSI's anyway,
and even allowing them. In apache, you should only be allowing
SSI's on the directories they are going to be run in.. Never
the entire site, unless the ENTIRE site will be using them.
I've seen first hand, people who auto-upate their sites, but
getting a headers file.. or something.. like the security
focus news that other people carry.. any tons of other people..
When people are polling it, if you insert an SSI to cat files
or run programs, it will grab that file and execute it. That
says more than a little, it says they have SSI enabled for that directory,
or the entire site, and it is defaulting to chmod +x the file..
Another good way to make sure you aren't running these SSI's (with apache
anyway), don't set that x bit on your text files. :)
On Fri, 8 Oct 1999, Matt Carothers wrote:
> On Mon, 4 Oct 1999, Blue Boar wrote:
>
> > During my testing of the exploit, I've found that all of these work:
> >
> > <!--#exec cmd="cat /etc/group"-->
> > <!--#exec cmd="cat /etc/group">
> > <!--#exec cmd="cat /etc/group"
> >
> > This works even in the middle of a line of HTML code!
> [...]
> > Can anyone else verify that their web server behaves similarly, and that I
> > haven't configured or compiled something funny? I haven't had time to dig
> > into the Apache code yet.
>
> Yeah, that's normal behavior. If mod_include sees a "<!--#", it processes
> the directive. After it's done with the directive, it looks for "-->" and
> logs a "premature EOF" error if it doesn't find it.
>
> > I suggest that folks look for lines that have <!-- in them, and dump the
> > whole line for safety's sake, when writing such scripts. In my brief
> > testing, the entire <!-- prefix seemed necessary.
>
> The entire "<!--#" has to be there to trigger a directive handler. Removing
> all occurances of "<!--#" from the input is sufficient to neuter all
> server-side includes.
>
> $value =~ s/<!--#//g;
>
> - Matt
>
Erik Parker
eparkermindsec.com
- Next message: Mikael Olsson: "NT SysKey should be breakable"
- Previous message: Erik Parker: "Re: Window manager - implementation bug/feature ???"
- In reply to: Michael Jennings: "Re: Window manager - implementation bug/feature ???"
- Next in thread: Vincent Zweije: "Re: Guestbook perl script (error fix)"
This archive was generated by hypermail 2.0b3 on Sat Oct 09 1999 - 00:16:14 CDT