Blue Boar wrote: > If you're running the guestbook program, AND you have HTML posting enabled > (this is a guestbook configuration option) AND you have SSI enabled for > .html files, you are vulnerable. Other configurations may be vulnerable if > customizations have been made, for example modifying the guestbook.pl > script to write to guestbook.shtml instead of guestbook.html, and having > SSI enabled on .shtml files. Erm, isn't it standard practise not to enable SSI for .html for exactly this sort of reason? When a webdesigner/sysadmin/whoever uses .shtml with CGI enabled they need to be aware that they are giving whoever generates the HTML a shell prompt, exactly like using the exec() command in a Perl script, etc, and the input should be checked accordingly. This is not a fault of Apache or even Matt's script, but of it being used incompetently. It's a standard case of if you don't fully understand the security implictations don't change the configuration. BTW, I have lots of .shtml of the form <a href="someurl"><!--#include virtual="randimg.pl"--></a> and I certainly expect apache to run it. This is the correct behaviour. -- Stephen White <swhiteat_private>
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:09:54 PDT