According to Stunt Pope: [...] > ...also seems to work. So it seems to me that the vulnerability exists > because: > > 1) It's assumed an attacker will enter a correctly formed SSI > 2) the httpd executes malformed SSI's IMHO the guestbook script should not try to strip out SSIs, but rather reject every input which contain the sequence "<!--#". Apache handles SSI directives as soon as they appear in the document and doesn't wait for the "-->" ending sequence (By the way, it is possible to use more than one directive inside a SSI expression, e.g. <!--#exec cmd="script1.sh" cmd="script2.sh" -->). If the ending sequence is missing Apache outputs the error message "premature EOF in parsed file /path/to/file", but IMHO there is no reason why it shouldn't execute a valid SSI directive. Exec-SSIs are a security problem itself and one should know about the risks when enabling them (and enabling them for pages which are generated from user input, e.g. guestbook pages, is just a stupid idea). just my $0.02... -- Lars Eilebrecht - Fatal system error: sfx@unix-ag.org - no coffee detected; user halted. http://www.home.unix-ag.org/sfx/
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:59:37 PDT