------------------------------------------------------------------- Periodically, the moderator of of the vuln-dev mailing list will post summaries of issues discussed there to Bugtraq and possibly other relevant lists. This will usually happen when an issue has been resolved, or it appears that there will be no further discussion on vuln-dev. Each separate issue will be given it's own posting to facilitate referencing them separately, for discussion, forwarding, or appearance in vulnerability databases. To subscribe to vuln-dev, send an e-mail to listservat_private, with the word SUBSCRIBE in the body of the message. A FAQ and archive can be found at www.securityfocus.com-->forums-->vuln-dev (click on these sections, the web pages are forms-based.) ------------------------------------------------------------------- There exists a vulnerability in the guestbook CGI program from Matt's Archive: http://www.worldwidemart.com/scripts/guestbook.shtml Given a particular set of configuration options (see below) it is possible for anyone to enter Server-Side Include (SSI) commands via the guestbook script. Matt was mailed, and I received no response. However, the script is open-source, and the fix should be easy. If you're running the guestbook program, AND you have HTML posting enabled (this is a guestbook configuration option) AND you have SSI enabled for .html files, you are vulnerable. Other configurations may be vulnerable if customizations have been made, for example modifying the guestbook.pl script to write to guestbook.shtml instead of guestbook.html, and having SSI enabled on .shtml files. Here's the vulnerability: When leaving a guestbook entry, type in some SSI code. The SSI capabilities are powerful, and include the ability (for example) to read any file the web server process has rights to, or execute arbitrary shell commands. The results will be "posted" to the guestbook for all to see. It makes a great HTTP shell. The format of the SSI command entered is as follows: <!--#exec cmd="cat /etc/group" You should place this command (or other desired command) somewhere in the comments. The format of the command is part of the problem, and why I'm thinking there may be some sloppiness in Apache. It appears that there is an assumption that SSI commands tend to be on lines by themselves, and are of the format: <!--# (SSI command) --> In my testing with the most recent Apache at the time (1.3.9) I found it took any of the following: <!--#exec cmd="cat /etc/group"--> <!--#exec cmd="cat /etc/group"> <!--#exec cmd="cat /etc/group" It also didn't seem to matter that it was in the middle of a line of HTML. Here's the problem line from the guestbook.pl script: $value =~ s/<!--(.|\n)*-->//g; As you can see, there is an assumption that SSI commands always end in --> . It ought to be easy for a RegEx expert to post a working substitute, so please do. (I'm not a RegEx expert, and I didn't get a firm fix.) Users ought to be able to patch themselves. I'm actually a bit more worried about how many other scripts make this assumption, and how long Apache has been making that be a bad assumption. Search engines ought to make it easy to find potentially vulnerable hosts. A script to test for it would be relatively easy as well, so if you use the guestbook, be sure to patch it quickly. Does this sound like this set of circumstances would be rare? Perhaps, but I found that the web hosting service that my site ( http://www.thievco.com ) lives on forces guestbook.pl on it's clients, via a shared cgi-bin directory. And yes, by reviewing the httpd.conf, I can see that some virtual sites have SSI enabled for .html. There is (IMNSHO) a very interesting thread on this topic in the vuln-dev archives for those who want to see all the parties involved in finding this bug, and the thought process behind it, starting on September 13, 1999. BB
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:09:50 PDT