Received: (qmail 13059 invoked by uid 65534); 4 Feb 2000 18:09:49 -0000
Message-Id: <20000204180949.13058.qmail@locus.apache.org>
Date: 4 Feb 2000 18:09:49 -0000
From: Ha Quach <ha@linux1.org>
Reply-To: ha@linux1.org
To: submit@bugz.apache.org
Subject: security hole: SSI include virtual executes CGI
X-Send-Pr-Version: 3.110

>Number:         5702
>Category:       mod_include
>Synopsis:       security hole: SSI include virtual executes CGI
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Fri Feb 04 10:10:00 PST 2000
>Closed-Date:
>Last-Modified:
>Originator:     ha@linux1.org
>Release:        1.3
>Organization:
apache
>Environment:
Linux 2.214, Redhat 6.1, Apache 1.3.11, x86
>Description:
This is a trick I use when I don't have ExecCGI. If I simply want a GET on a CGI
script, I do

<!--#include virtual="/cgi-bin/somescript.cgi" -->

While this logically makes sense, don't you think this is a HUGE security flaw?
Can we make it so that if an 'include virtual' is called, there's no way it can 
dip into pages ScriptAlias'd?

You can perform this on virtually any platform and, as far as I know, with any
version of Apache since SSI has been working decently.
>How-To-Repeat:
Set config file to use SSI and set Options IncludesNOEXEC.
Create a CGI script and create an SHTML page, stick the include tag in the 
SHTML page to point to the CGI script:

#!/bin/sh
echo "Go away"

<html><body><!--#include virtual="/cgi-bin/goaway" --></body></html>
>Fix:
fix is obvious, as described in 'Full Description'
>Release-Note:
>Audit-Trail:
>Unformatted:
 [In order for any reply to be added to the PR database, you need]
 [to include <apbugs@Apache.Org> in the Cc line and make sure the]
 [subject line starts with the report component and number, with ]
 [or without any 'Re:' prefixes (such as "general/1098:" or      ]
 ["Re: general/1098:").  If the subject doesn't match this       ]
 [pattern, your message will be misfiled and ignored.  The       ]
 ["apbugs" address is not added to the Cc line of messages from  ]
 [the database automatically because of the potential for mail   ]
 [loops.  If you do not include this Cc, your reply may be ig-   ]
 [nored unless you are responding to an explicit request from a  ]
 [developer.  Reply only with text; DO NOT SEND ATTACHMENTS!     ]