On Sun, 7 Nov 1999, Stephen White wrote: > Blue Boar wrote: > > If you're running the guestbook program, AND you have HTML posting enabled > > (this is a guestbook configuration option) AND you have SSI enabled for > > .html files, you are vulnerable. Other configurations may be vulnerable if > > customizations have been made, for example modifying the guestbook.pl > > script to write to guestbook.shtml instead of guestbook.html, and having > > SSI enabled on .shtml files. > > Erm, isn't it standard practise not to enable SSI for .html for exactly > this sort of reason? The extension for which SSI parsing is enabled shouldn't make any difference. It's very common to enable SSI parsing for .html files because keeping track of .shtml vs. .html is a useless waste of time, just like keeping track of .php vs .php3 vs .pl vs .cfm vs .asp is a waste of time. You don't gain any security by notifying the public that you're using SSI or PHP, and you sure don't save any time in maintenance if you migrate from one to the other. There is a lot of time wasted in tracking down and fixing links to .html files that are now .shtml files just because you added an #include somewhere, not to mention the difficulty in asking other folks to change their offsite links. Let's not confuse the issue at hand. > When a webdesigner/sysadmin/whoever uses .shtml with CGI enabled they > need to be aware that they are giving whoever generates the HTML a shell > prompt, exactly like using the exec() command in a Perl script, etc, and > the input should be checked accordingly. No, anyone who enables SSI with EXEC enabled is giving the HTML author a shell prompt. The difference between CGI and Includes with Exec privs is quite important. CGI requires that the author have write permissions to the cgi-bin or .cgi files, but the case above is an (old and boring) exploit of public write access to files combined with stupid exposure of those files to abuse via SSI. That's why IncludesNoExec was provided. > This is not a fault of Apache or even Matt's script, but of it being > used incompetently. It's a standard case of if you don't fully > understand the security implictations don't change the configuration. Agreed. But it has nothing to do with the choice of extension for SSI parsing, but with the poor choice of whether to use full SSI or SSI with exec disabled. (Also with the stupidity of allowing SSI parsing on a guestbook in the first place, but so long as the exec keyword isn't parsed, the exposure is merely annoying but not a vulnerability. Steve -- Steven Champeon v: 919.854.1570 Sr. Technical Consultant f: 919.854.1579 hesketh.com/inc. w: hesketh.com
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:09:54 PDT