>Number: 4405 >Category: mod_include >Synopsis: problem with nested 2nd SSI (buffer overflow?) >Confidential: no >Severity: serious >Priority: medium >Responsible: apache >State: open >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Thu May 13 08:30:00 PDT 1999 >Last-Modified: >Originator: [EMAIL PROTECTED] >Organization: apache >Release: 1.3.3 and 1.3.6 >Environment: Win32, Linux, FreeBSD >Description: Assume the follow files: ----index.html---- index1 <!--#include file="body.html" --> index2 ----body.html------ body1 <!--#include file="part1.html" --> body2 <!--#include file="part2.html" --> body3 ----part1.html----- part1 ----part2.html----- part2 ------------------------------- The resulting output is: index1 body1 part1 index2 The resulting output should be: index1 body1 part1 body2 part2 body3 index2 The error log says: premature EOF in parsed file /path/to/body.html In some cases when I try this, I get spurious html in the page at the end of body1 which overwrites index2 (not as reproducible).
>How-To-Repeat: Try making the pages describes above. >Fix: Check the page buffering code in ssi. (just a guess) The page mangling makes me think there is buffer overflow exploit here, but I am not sufficiently an expert in this area to know how to exploit it. >Audit-Trail: >Unformatted: [In order for any reply to be added to the PR database, ] [you need to include <[EMAIL PROTECTED]> in the Cc line ] [and leave the subject line UNCHANGED. This is not done] [automatically because of the potential for mail loops. ] [If you do not include this Cc, your reply may be ig- ] [nored unless you are responding to an explicit request ] [from a developer. ] [Reply only with text; DO NOT SEND ATTACHMENTS! ]
