Bugtraq mailing list archives

Re: Guestbook.pl, sloppy SSI handling in Apache? (VD#2)

From: schampeo () HESKETH COM (Steven Champeon)
Date: Sun, 7 Nov 1999 18:20:00 -0500


On Sun, 7 Nov 1999, Stephen White wrote:

Blue Boar wrote:

If you're running the guestbook program, AND you have HTML posting enabled
(this is a guestbook configuration option) AND you have SSI enabled for
.html files, you are vulnerable.  Other configurations may be vulnerable if
customizations have been made, for example modifying the guestbook.pl
script to write to guestbook.shtml instead of guestbook.html, and having
SSI enabled on .shtml files.


Erm, isn't it standard practise not to enable SSI for .html for exactly
this sort of reason?


The extension for which SSI parsing is enabled shouldn't make any
difference.  It's very common to enable SSI parsing for .html files
because keeping track of .shtml vs. .html is a useless waste of time, just
like keeping track of .php vs .php3 vs .pl vs .cfm vs .asp is a waste of
time. You don't gain any security by notifying the public that you're
using SSI or PHP, and you sure don't save any time in maintenance if you
migrate from one to the other. There is a lot of time wasted in tracking
down and fixing links to .html files that are now .shtml files just
because you added an #include somewhere, not to mention the difficulty in
asking other folks to change their offsite links.

Let's not confuse the issue at hand.

When a webdesigner/sysadmin/whoever uses .shtml with CGI enabled they
need to be aware that they are giving whoever generates the HTML a shell
prompt, exactly like using the exec() command in a Perl script, etc, and
the input should be checked accordingly.


No, anyone who enables SSI with EXEC enabled is giving the HTML author a
shell prompt. The difference between CGI and Includes with Exec privs is
quite important. CGI requires that the author have write permissions to
the cgi-bin or .cgi files, but the case above is an (old and boring)
exploit of public write access to files combined with stupid exposure of
those files to abuse via SSI. That's why IncludesNoExec was provided.

This is not a fault of Apache or even Matt's script, but of it being
used incompetently.  It's a standard case of if you don't fully
understand the security implictations don't change the configuration.


Agreed. But it has nothing to do with the choice of extension for SSI
parsing, but with the poor choice of whether to use full SSI or SSI with
exec disabled. (Also with the stupidity of allowing SSI parsing on a
guestbook in the first place, but so long as the exec keyword isn't
parsed, the exposure is merely annoying but not a vulnerability.

Steve

--
Steven Champeon                 v: 919.854.1570
Sr. Technical Consultant        f: 919.854.1579
hesketh.com/inc.                w: hesketh.com

Current thread:

Guestbook.pl, sloppy SSI handling in Apache? (VD#2) Blue Boar (Nov 05)
- Re: Guestbook.pl, sloppy SSI handling in Apache? (VD#2) Marc Slemko (Nov 06)
- Re: Guestbook.pl, sloppy SSI handling in Apache? (VD#2) Ben Laurie (Nov 06)
- Re: Guestbook.pl, sloppy SSI handling in Apache? (VD#2) Stephen White (Nov 06)
  - Re: Guestbook.pl, sloppy SSI handling in Apache? (VD#2) Steven Champeon (Nov 07)
  - Patch for VirusWall 3.23. dark spyrit (Nov 07)
- Netscape Web Publisher Tim Jones (Nov 06)
  - Re: Netscape Web Publisher Mnemonix (Nov 07)
  - Re: Netscape Web Publisher nblasgen () NICK REFRACT COM (Nov 07)
  - vwxploit.c unix port Sebastian (Nov 08)
- Windows NT Spooler Service. Avri Schneider (Nov 07)
- [w00giving '99 #2] IMAIL POP server Shok (Nov 07)
- Re: Guestbook.pl, sloppy SSI handling in Apache? (VD#2) Blue Boar (Nov 07)
- Re: Guestbook.pl, sloppy SSI handling in Apache? (VD#2) Jefferson Ogata (Nov 08)
- MS Outlook alert : Cuartango Active Setup Elias Levy (Nov 08)

(Thread continues...)