COMMAND
guestbook.cgi
SYSTEMS AFFECTED
Systems runnign CGI above
PROBLEM
Stunt Pope found following potential vulnerability in the
guestbook script at Matt Wright's archive. Basically, it is still
possible to use the SSI method of attack provided certain
conditions are met:
1) $allow_html is turned on (which it is by default)
2) whatever file holds the messages (guestbook.html) is server
parsed
3) the web server executes a malformed SSI
The script attempts to strip out SSI's with the following regex:
$value =~ s/<!--(.|\n)*-->//g;
Which is fairly easily circumvented by entering:
<!--#exec cmd="/bin/cat /etc/passwd"->
It seems if the resultant page is server parsed, the server
(tested on Apache 1.2.6) will happily execute the SSI. In fact it
will do it in the absence of a closing tag altogether it seems.
<!--#exec cmd="/bin/cat /etc/passwd"
...also seems to work. So it seems that the vulnerability exists
because:
1) It's assumed an attacker will enter a correctly formed SSI
2) the httpd executes malformed SSI's
SOLUTION
Exec-SSIs are a security problem itself and one should know about
the risks when enabling them (and enabling them for pages which
are generated from user input, e.g. guestbook pages, is just a
stupid idea). Scripts should not go about generating SSI based on
user input. It's trivial to configure the server to avoid this -
use a different file extension for ssi and non-ssi. Apache does
diagnose the malformed tag:
[Thu Jun 25 14:23:23 1998] [error] httpd: premature EOF in parsed file /blah/blah/tt.shtml
But the diagnosis occurs after it has executed the command, and
we're unlikely to change that. The parser just executes things
as it encounters them. It does not attempt to find an entire tag
first... that's needlessly complex. (Consider long tags spanning
multiple input buffers.)