Re: guestbook script is still vulnerable under apache

From: Dean Gaudet (dgaudet-list-bugtraqat_private)
Date: Thu Jun 25 1998 - 14:27:04 PDT

Next message: Theo Van Dinter: "Re: guestbook script is still vulnerable under apache"

Previous message: Chris Adams: "Re: security hole in mailx"
Maybe in reply to: Stunt Pope: "guestbook script is still vulnerable under apache"
Next in thread: Theo Van Dinter: "Re: guestbook script is still vulnerable under apache"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I'd hardly call this a security flaw in apache. I'd call it a security
flaw in the script.  Scripts should not go about generating SSI based on
user input.  It's trivial to configure the server to avoid this -- use a
different file extension for ssi and non-ssi.

Apache does diagnose the malformed tag:

[Thu Jun 25 14:23:23 1998] [error] httpd: premature EOF in parsed file
/blah/blah/tt.shtml

But the diagnosis occurs after it has executed the command, and we're
unlikely to change that.  The parser just executes things as it encounters
them.  It does not attempt to find an entire tag first... that's
needlessly complex.  (Consider long tags spanning multiple input buffers.)

Dean

On Thu, 25 Jun 1998, Stunt Pope wrote:

> Due to what looks to me to be a bug in certain webservers handling of
> malformed SSI tags, I believe I've found a potential vulnerability in the
> guestbook script at Matt Wright's archive.
>
> Basically, it is still possible to use the SSI method of attack provided
> certain conditions are met:
>
>         1) $allow_html is turned on (which it is by default)
>         2) whatever file holds the messages (guestbook.html) is
>            server parsed
>         3) the web server executes a malformed SSI
>
> The script attempts to strip out SSI's with the following regex:
>
> $value =~ s/<!--(.|\n)*-->//g;
>
> Which is fairly easily circumvented by entering:
>
> <!--#exec cmd="/bin/cat /etc/passwd"->
>
> It seems to me that if the resultant page is server parsed, the server
> (I'm testing this on Apache 1.2.6) will happily execute the SSI. In fact
> it will do it in the absence of a closing tag altogether it seems.
>
> <!--#exec cmd="/bin/cat /etc/passwd"
>
> ...also seems to work. So it seems to me that the vulnerability exists
> because:
>
>         1) It's assumed an attacker will enter a correctly formed SSI
>         2) the httpd executes malformed SSI's
>
> -mark
>
>
> ---
> Mark Jeftovic                   aka: mark jeff or vic, stunt pope.
> markjrat_private              http://www.shmOOze.net/~markjr
> Private World's BOFH            http://www.PrivateWorld.com
> irc: L-bOMb                     Keep `em Guessing
>

Next message: Theo Van Dinter: "Re: guestbook script is still vulnerable under apache"
Previous message: Chris Adams: "Re: security hole in mailx"
Maybe in reply to: Stunt Pope: "guestbook script is still vulnerable under apache"
Next in thread: Theo Van Dinter: "Re: guestbook script is still vulnerable under apache"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:59:35 PDT