httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <ma...@znep.com>
Subject improper parsing of SSIs
Date Fri, 08 Oct 1999 03:14:43 GMT
This is a valid point, although I don't consider this to be a glaring
problem; unfortunately, SSIs are too loosely defined (even in the Apache
docs) to expect any hard fomatting rules.  Apache really shouldn't be
treating '<!--#foo' without any closing '-->' as a valid SSI though; it
should bitch before it tries doing something rather than doing something, 
then figuring out later "hey, I wasn't supposed to do that.  Oh well..."

That code is ugly though.

---------- Forwarded message ----------
Date: Mon, 4 Oct 1999 19:09:16 -0700
From: Blue Boar <BlueBoar@THIEVCO.COM>
To: VULN-DEV@SECURITYFOCUS.COM
Subject: Re: Guestbook perl script (error fix)

drch wrote:

> what if $FORM{'url'} == ><!--#include file="/etc/passwd" --
>

I finally got around to playing with this today.

The short answer is, it worked perfectly.

The long answer is a little more disturbing.  I believe I've spotted a
deficiency in Apache.

I installed the latest version of Apache (1.3.9 when I grabbed it) from
source on my Sparc/Solaris 2.5.1 machine using GCC 2.8.1.  The only change
I can recall making was to correct the server name, and to add SSI:

# diff httpd.conf httpd.conf.default
274c274
< ServerName XXXXXXXX
---
> #ServerName XXXXXXXX
315c315
<     Options Indexes FollowSymLinks Includes
---
>     Options Indexes FollowSymLinks
680,681c680,681
< AddType text/html .shtml
< AddHandler server-parsed .shtml
---
> #AddType text/html .shtml
> #AddHandler server-parsed .shtml

I had to modify the guestbook script for the appropriate directories and
filenames, but it's otherwise the same one we've been discussing.  HTML
enabled.

During my testing of the exploit, I've found that all of these work:

<!--#exec cmd="cat /etc/group"-->
<!--#exec cmd="cat /etc/group">
<!--#exec cmd="cat /etc/group"

This works even in the middle of a line of HTML code!

What am I missing?  Clearly, the author of the guestbook.pl script expected
SSI lines to end in --> :

   $value =~ s/<!--(.|\n)*-->//g;

It turns out that one can get around this much easier than previously
stated. Just leave off the -->

I don't know a lot about SSI.  Can someone help me with that?  This seems a
little TOO flexible for safety's sake.

Can anyone else verify that their web server behaves similarly, and that I
haven't configured or compiled something funny?  I haven't had time to dig
into the Apache code yet.

I suggest that folks look for lines that have <!-- in them, and dump the
whole line for safety's sake, when writing such scripts.  In my brief
testing, the entire <!-- prefix seemed necessary.

For completeness' sake, I should state that, at least for the script as
written, SSI must be enabled for .html files, as the guestbook.html is that
type.  In my example, I went out of my way to make it guestbook.shtml,
which I would not expect to find "in the wild."  And yes, my web host DOES
have some of the virtual domains set up that way.  I gave them a little
advanced notice for purposes of CYA. :)  I won't tell which ones.  I did my
testing on my own machine, not on my web hosting provider.

							BB

P.S. For those who want to see a piece of the work in progress that led to
this, here's a short bit of HTML I was using as an "exploit" of sorts.

Mime
View raw message