Re: guestbook script is still vulnerable under apache

[luvisi () andru sonoma edu (Andru Luvisi)]

On Thu, 25 Jun 1998, Theo Van Dinter wrote:
[snip]
> I don't use the program in question so I can't pass this on to the author, but
> here is a replacement for that "bad" line that will handle all (to my
> knowledge) SSI's including malformed ones:
>
>     $value=~s{
>         <!                  # Comments start with <!
>         ([^<>]|<[^<>]+>)*   # Remove anything in between, including
>                             # the non-spec'ed included tags ...
>         >                   # End of the comment.
>     }{}gsx;                 # Replace with Nothing
>
>
> This replaces <! ... >, including "not correct" commented-out tags.
> Works great in a little web spider I wrote.

I'm not convinced this is a complete solution:
andru:~$ cat sub.pl
#!/usr/bin/perl -p

     s{
         <!                  # Comments start with <!
         ([^<>]|<[^<>]+>)*   # Remove anything in between, including
                             # the non-spec'ed included tags ...
         >                   # End of the comment.
     }{}gsx;                 # Replace with Nothing


andru:~$ perl sub.pl
<<!>!--#exec #cmd="/bin/echo foo">
<!--#exec #cmd="/bin/echo foo">
andru:~$


perhaps something like:
 while($value =~ /<!/) {
   ...
 }

would be better...

though I agree that the "correct" solution is to simply configure your
server so that it doesn't parse the guestbook.

andru