You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2011/02/02 22:48:03 UTC
DO NOT REPLY [Bug 50711] New: QUERY_STRING vulnerability possible
remote code execution
https://issues.apache.org/bugzilla/show_bug.cgi?id=50711
Summary: QUERY_STRING vulnerability possible remote code
execution
Product: Apache httpd-2
Version: 2.0-HEAD
Platform: PC
OS/Version: Linux
Status: NEW
Severity: trivial
Priority: P2
Component: mod_include
AssignedTo: bugs@httpd.apache.org
ReportedBy: kzg@xc.hu
example:
vulnerable URL: http://lameserver.hu/ssi.html?$(ls)
-rwxr-xr-x ssi.html as follows:
<!--#exec cmd="/scriptDir/vulnerable.bash $QUERY_STRING;" -->
/scriptDir/vulnerable.bash should be:
#! /bin/ANYsh
echo "$1"
result: "$1" would expand to any command in braces. This example, displays a
directory listing instead of the string '$(ls)'
Apache does not escapes the dollar sign in query strings. Try:
http://apache.org/?$(ls)
Suggestion: avoid using args in "exec cmd" SSI scripts
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 50711] QUERY_STRING vulnerability possible remote
code execution
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=50711
William A. Rowe Jr. <wr...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |INVALID
--- Comment #1 from William A. Rowe Jr. <wr...@apache.org> 2011-02-02 16:52:15 EST ---
This is well known. Do you have an example of a script the ASF distributes
which is foolish enough to do this?
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org