httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 50711] New: QUERY_STRING vulnerability possible remote code execution
Date Wed, 02 Feb 2011 21:48:03 GMT

           Summary: QUERY_STRING vulnerability possible remote code
           Product: Apache httpd-2
           Version: 2.0-HEAD
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: trivial
          Priority: P2
         Component: mod_include

vulnerable URL:$(ls)
-rwxr-xr-x ssi.html as follows:
<!--#exec cmd="/scriptDir/vulnerable.bash $QUERY_STRING;" -->

/scriptDir/vulnerable.bash should be:
#! /bin/ANYsh
echo "$1"

result: "$1" would expand to any command in braces. This example, displays a
directory listing instead of the string '$(ls)'

Apache does not escapes the dollar sign in query strings. Try:$(ls)

Suggestion: avoid using args in "exec cmd" SSI scripts

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message