You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2011/02/02 22:48:03 UTC

DO NOT REPLY [Bug 50711] New: QUERY_STRING vulnerability possible remote code execution

https://issues.apache.org/bugzilla/show_bug.cgi?id=50711

           Summary: QUERY_STRING vulnerability possible remote code
                    execution
           Product: Apache httpd-2
           Version: 2.0-HEAD
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: trivial
          Priority: P2
         Component: mod_include
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: kzg@xc.hu


example: 
vulnerable URL: http://lameserver.hu/ssi.html?$(ls)
-rwxr-xr-x ssi.html as follows:
<!--#exec cmd="/scriptDir/vulnerable.bash $QUERY_STRING;" -->

/scriptDir/vulnerable.bash should be:
#! /bin/ANYsh
echo "$1"

result: "$1" would expand to any command in braces. This example, displays a
directory listing instead of the string '$(ls)'

Apache does not escapes the dollar sign in query strings. Try:
http://apache.org/?$(ls)

Suggestion: avoid using args in "exec cmd" SSI scripts

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 50711] QUERY_STRING vulnerability possible remote code execution

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=50711

William A. Rowe Jr. <wr...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |INVALID

--- Comment #1 from William A. Rowe Jr. <wr...@apache.org> 2011-02-02 16:52:15 EST ---
This is well known.  Do you have an example of a script the ASF distributes
which is foolish enough to do this?

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org