Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Guestbook.pl, sloppy SSI handling in Apache? (VD#2)

From: ben () ALGROUP CO UK (Ben Laurie)
Date: Sat, 6 Nov 1999 18:54:33 +0000

[Snippage has occurred]

Blue Boar wrote:

The format of the SSI command entered is as follows:

<!--#exec cmd="cat /etc/group"

You should place this command (or other desired command) somewhere in the
comments.

The format of the command is part of the problem, and why I'm thinking
there may be some sloppiness in Apache.  It appears that there is an
assumption that SSI commands tend to be on lines by themselves, and are of
the format:

<!--# (SSI command) -->

In my testing with the most recent Apache at the time (1.3.9) I found it
took any of the following:

<!--#exec cmd="cat /etc/group"-->
<!--#exec cmd="cat /etc/group">
<!--#exec cmd="cat /etc/group"

It also didn't seem to matter that it was in the middle of a line of HTML.

I'm actually a bit more worried about how many other scripts make this
assumption, and how long Apache has been making that be a bad assumption.


Apache doesn't make a bad assumption. If you don't want SSIs executing
stuff, you shouldn't enable it.

Cheers,

Ben.

--
http://www.apache-ssl.org/ben.html

"My grandfather once told me that there are two kinds of people: those
who work and those who take the credit. He told me to try to be in the
first group; there was less competition there."
     - Indira Gandhi
Previous By Date Next
Previous By Thread Next

Current thread: