https://issues.apache.org/bugzilla/show_bug.cgi?id=57580
--- Comment #10 from D. Stussy <[email protected]> --- Show me where BASH is called in this SSI using mod_include: <HTML><HEAD> <TITLE>Error 400 - Bad Request or Syntax Error</TITLE> <META NAME="DC.Date.Created" CONTENT="2002-05-10 00:00:00"> <META NAME="DC.Date.Modified" CONTENT="2010-03-15 00:00:00"> <META NAME="Description" CONTENT="HTTP Server 400 Error Page"> <META NAME="Classification" CONTENT="HTTP Server Error Handler Page"> <META NAME="Robots" CONTENT="NoIndex,NoFollow,NoArchive,NoCache,NoSnippet"> <META HTTP-EQUIV="Content-Type" CONTENT="Text/HTML; CHARSET=iso-8859-1"> </HEAD><BODY TEXT=BLACK BGCOLOR=WHITE LINK=BLUE VLINK=RED ALINK="#33FF33"> <B>An <FONT COLOR=RED>ERROR</FONT> has occurred: Access to that web page, script, or other service has been denied. Either an error has been made in the target page or service, or your web browser issued an improper or malformed request. Try again.</B> <BR CLEAR=BOTH><HR><TABLE ALIGN=CENTER BGCOLOR=LIGHTCYAN WIDTH=100%><TR> <TD ALIGN=RIGHT><B>Requested Page:</B></TD> <TD><B>http<!--#if expr="$HTTPS = on" -->s<!--#endif -->://<!--#echo var="HTTP_HOST" var="REQUEST_URI" --></B></TD> <!--#if expr="$HTTP_REFERER" --></TR><TR> <TD ALIGN=RIGHT><B>Referring Page:</B></TD> <TD><B><!--#echo var="HTTP_REFERER" --></B></TD> <!--#endif --></TR><TR> <TD ALIGN=RIGHT><B>Requested From:</B></TD> <TD><B><!--#echo var="REMOTE_ADDR" --> : <!--#echo var="REMOTE_PORT" --> <!--#if expr="HTTP_ACCEPT_BROWSER" --> <!--#if expr="$HTTP_ACCEPT_BROWSER = msie" -->(Internet Explorer) <!--#elif expr="$HTTP_ACCEPT_BROWSER = ns" -->(Netscape) <!--#elif expr="$HTTP_ACCEPT_BROWSER = lynx" -->(Lynx) <!--#elif expr="$HTTP_ACCEPT_BROWSER = safari" -->(Safari) <!--#elif expr="$HTTP_ACCEPT_BROWSER = firefox" -->(Firefox) <!--#elif expr="$HTTP_ACCEPT_BROWSER = chrome" -->(Google Chrome) <!--#else -->(<!--#echo var="HTTP_ACCEPT_BROWSER" -->)<!--#endif --> <!--#endif --><!--#if expr="$REDIRECT_REQUEST_METHOD" --> [<!--#echo var="REDIRECT_REQUEST_METHOD" -->]<!--#else --> [<!--#echo var="REQUEST_METHOD" -->]<!--#endif --></B></TD> <!--#if expr="$HTTPS" --></TR><TR> <TD ALIGN=RIGHT><B>Encryption Method:</B></TD> <TD><B><!--#echo var="SSL_PROTOCOL_VERSION" --><!--#echo var="HTTPS_CIPHER" --><!--#echo var="HTTPS_KEYSIZE" --></B></TD> <!--#endif --><!--#if expr="$REMOTE_USER" --></TR><TR> <TD ALIGN=RIGHT><B>Validated User:</B></TD> <TD><B><!--#echo var="REMOTE_USER" --></B></TD> <!--#endif --></TR></TABLE><HR></BODY></HTML> I see no #execs (direct) and no #include virutals (indirect) directives here. BASH is never invoked, yet this script is still vulnerable to the bug. Not only that, I don't explicitly use the "USER_AGENT" variable in the script (but it is used in the configuration file to set the "HTTP_ACCEPT_BROWSER" value by using BrowserMatch statements). -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
