httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lucid <lu...@secret.org>
Subject Re: Server parsed HTML bug!! (?)
Date Fri, 14 Jun 1996 16:03:06 GMT
> > > > > No, wait - I think he means that he wants to have a CGI script output
HTML
> > > > > which would then be parsed by the server-side-include engine.
> > > 
> > > yup, we're talking about the same thing.
> > > 
> > > creating commands to be executed on the fly.. oh what fun
> > > 
> > > 
> > > > I used to work in Apache
> > > 
> > > really? I don't think so because people have been asking for it since
> > > 
> > > 
> > 
> > It worked before handlers were introduced....
> > i belive it was 0.9 era... 
> 
> Wrong server. 0.9.x never existed for Apache.

sorry... It was 0.8.16 I belive...  
this was before handlers so I think all modules were being run on a request 
and mod_cgi came before mod_includes

> 
> > It isnt insecure if your script runs like this
> > 
> > if ($foo)	{
> > 	print "<!--#include virtual=\"/cgi-bin/nav.cgi?area=0\"-->";
> > } else {
> > 	print "<!--#include virtual=\"/cgi-bin/nav.cgi?area=1\"-->";
> > }
> > 
> 
> I could pretty easily create a recursive bomb....

If someone has enough write permissions to do that,
its probably the least of our worries...
However I admit I could be wrong, I just dont see
an exploit or any other problems that we didn't
already have...

If a ~user can use includes in their public_html
of course they can crash the server, of course
they can probablly do this via CGI just as easily.

Perhaps we should implement a NBITHACK
so if people want to enable includes they dont
have to enable the "Naughty bits" (like exec cmd)
without doing so explicitly.

-bill

Mime
View raw message