Received: (qmail 18042 invoked by uid 2012); 13 May 1999 15:28:37 -0000 Message-Id: <19990513152837.18041.qmail@hyperreal.org> Date: 13 May 1999 15:28:37 -0000 From: Alex Jacobson Reply-To: alex@shop.com To: apbugs@hyperreal.org Subject: problem with nested 2nd SSI (buffer overflow?) X-Send-Pr-Version: 3.2 >Number: 4405 >Category: mod_include >Synopsis: problem with nested 2nd SSI (buffer overflow?) >Confidential: no >Severity: serious >Priority: medium >Responsible: apache >State: open >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Thu May 13 08:30:00 PDT 1999 >Last-Modified: >Originator: alex@shop.com >Organization: apache >Release: 1.3.3 and 1.3.6 >Environment: Win32, Linux, FreeBSD >Description: Assume the follow files: ----index.html---- index1 index2 ----body.html------ body1 body2 body3 ----part1.html----- part1 ----part2.html----- part2 ------------------------------- The resulting output is: index1 body1 part1 index2 The resulting output should be: index1 body1 part1 body2 part2 body3 index2 The error log says: premature EOF in parsed file /path/to/body.html In some cases when I try this, I get spurious html in the page at the end of body1 which overwrites index2 (not as reproducible). >How-To-Repeat: Try making the pages describes above. >Fix: Check the page buffering code in ssi. (just a guess) The page mangling makes me think there is buffer overflow exploit here, but I am not sufficiently an expert in this area to know how to exploit it. >Audit-Trail: >Unformatted: [In order for any reply to be added to the PR database, ] [you need to include in the Cc line ] [and leave the subject line UNCHANGED. This is not done] [automatically because of the potential for mail loops. ] [If you do not include this Cc, your reply may be ig- ] [nored unless you are responding to an explicit request ] [from a developer. ] [Reply only with text; DO NOT SEND ATTACHMENTS! ]