httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 50711] New: QUERY_STRING vulnerability possible remote code execution
Date Wed, 02 Feb 2011 21:48:03 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=50711

           Summary: QUERY_STRING vulnerability possible remote code
                    execution
           Product: Apache httpd-2
           Version: 2.0-HEAD
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: trivial
          Priority: P2
         Component: mod_include
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: kzg@xc.hu


example: 
vulnerable URL: http://lameserver.hu/ssi.html?$(ls)
-rwxr-xr-x ssi.html as follows:
<!--#exec cmd="/scriptDir/vulnerable.bash $QUERY_STRING;" -->

/scriptDir/vulnerable.bash should be:
#! /bin/ANYsh
echo "$1"

result: "$1" would expand to any command in braces. This example, displays a
directory listing instead of the string '$(ls)'

Apache does not escapes the dollar sign in query strings. Try:
http://apache.org/?$(ls)

Suggestion: avoid using args in "exec cmd" SSI scripts

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message