Blue Boar wrote:
> If you're running the guestbook program, AND you have HTML posting enabled
> (this is a guestbook configuration option) AND you have SSI enabled for
> .html files, you are vulnerable. Other configurations may be vulnerable if
> customizations have been made, for example modifying the guestbook.pl
> script to write to guestbook.shtml instead of guestbook.html, and having
> SSI enabled on .shtml files.
Erm, isn't it standard practise not to enable SSI for .html for exactly
this sort of reason? When a webdesigner/sysadmin/whoever uses .shtml
with CGI enabled they need to be aware that they are giving whoever
generates the HTML a shell prompt, exactly like using the exec() command
in a Perl script, etc, and the input should be checked accordingly.
This is not a fault of Apache or even Matt's script, but of it being
used incompetently. It's a standard case of if you don't fully
understand the security implictations don't change the configuration.
BTW, I have lots of .shtml of the form <a href="someurl"><!--#include
virtual="randimg.pl"--></a> and I certainly expect apache to run it.
This is the correct behaviour.
--
Stephen White <[EMAIL PROTECTED]>
