Bugtraq mailing list archives
Re: Guestbook.pl, sloppy SSI handling in Apache? (VD#2)
From: BlueBoar () THIEVCO COM (Blue Boar)
Date: Sun, 7 Nov 1999 18:35:21 -0800
Stephen White wrote:
Erm, isn't it standard practise not to enable SSI for .html for exactly this sort of reason?
That would be the smart thing to do.
When a webdesigner/sysadmin/whoever uses .shtml with CGI enabled they need to be aware that they are giving whoever generates the HTML a shell prompt, exactly like using the exec() command in a Perl script, etc,
Yup.
and the input should be checked accordingly.
Input wasn't checked adequately in this case, that's the problem.
This is not a fault of Apache or even Matt's script, but of it being used incompetently.
Matt's script recognizes that it may be used in an environment where SSI is enabled on .html. It tries to check for SSI commands being passed. It fails. That's a bug, and in this case the bug has security implications. The script is at fault, and can be fixed. Perversely, had the script not made any attempt to check for SSI, you could make a case that it was misused. So it goes.
It's a standard case of if you don't fully understand the security implictations don't change the configuration.
IMNSHO, SSI should just be turned off on public web servers. I believe that if it's on, the admin doesn't understand the security implications.
BTW, I have lots of .shtml of the form <a href="someurl"><!--#include virtual="randimg.pl"--></a> and I certainly expect apache to run it. This is the correct behaviour.
Let me clarify my comment about "even in the middle of some HTML". The above example should be fine, by my thinking. The HTML and SSI are separated. There is an explicit closing SSI tag (-->). A parser should have no trouble understanding the difference between the HTML and SSI. Here's what Im talking about: sometext sometext <!#--some SSI <B> sometext </B>... to the end of the file. Now, it was pointed out that SSI can be across multiple lines. That's fine. The problem I see is that Apache (and I'm picking on Apache because that's what I tested, and that's what I care most about being correct and secure) goes ahead and processes the SSI even though there is never a closing -->, and there is a bunch of stuff following the SSI command. This is standard HTMLish behavior. I guess I would have expected the command to bomb because it was either missing the closing tag, or because it included a bunch of stuff (the rest of the file) that wasn't legal SSI commands. It just struck me as funny that it didn't seem to care about the garbage. I would have expected something with an obvious security impact like SSI to be handled more carefully. (Yes, it did complain in the logs): [Sun Nov 7 18:30:12 1999] [error] [client x.x.x.x] premature EOF in parsed file /usr/local/apache/htdocs/guestbook.shtml BB
Current thread:
- Re: Guestbook.pl, sloppy SSI handling in Apache? (VD#2), (continued)
- Re: Guestbook.pl, sloppy SSI handling in Apache? (VD#2) Ben Laurie (Nov 06)
- Re: Guestbook.pl, sloppy SSI handling in Apache? (VD#2) Stephen White (Nov 06)
- Re: Guestbook.pl, sloppy SSI handling in Apache? (VD#2) Steven Champeon (Nov 07)
- Patch for VirusWall 3.23. dark spyrit (Nov 07)
- Netscape Web Publisher Tim Jones (Nov 06)
- Re: Netscape Web Publisher Mnemonix (Nov 07)
- Re: Netscape Web Publisher nblasgen () NICK REFRACT COM (Nov 07)
- vwxploit.c unix port Sebastian (Nov 08)
- Windows NT Spooler Service. Avri Schneider (Nov 07)
- [w00giving '99 #2] IMAIL POP server Shok (Nov 07)
- Re: Guestbook.pl, sloppy SSI handling in Apache? (VD#2) Blue Boar (Nov 07)
- Re: Guestbook.pl, sloppy SSI handling in Apache? (VD#2) Jefferson Ogata (Nov 08)
- MS Outlook alert : Cuartango Active Setup Elias Levy (Nov 08)
- BigIP - bigconf.cgi holes Guy Cohen (Jun 13)
- Re: MS Outlook alert : Cuartango Active Setup David LeBlanc (Nov 08)
- Re: MS Outlook alert : Cuartango Active Setup - Workaround Instructions Mark (Nov 08)
- Insecure handling of NetSol maintainer passwords jlewis () LEWIS ORG (Nov 08)
- flaw in dmesg under Solaris echo8 (Nov 09)
- Re: Insecure handling of NetSol maintainer passwords Jefferson Ogata (Nov 09)
- Re: Insecure handling of NetSol maintainer passwords pedward () WEBCOM COM (Nov 10)
- Re: Insecure handling of NetSol maintainer passwords Trevor Schroeder (Nov 10)