Re: Re[2]: BUG: fastcgi ssi output is not parsed for nested ssi's

Stanley Gambarin (gambarin@OpenMarket.com)
Mon, 28 Apr 1997 14:16:46 -0400

Message-Id: <199704281816.OAA02238@u4-138.openmarket.com>
To: shad@pathfinder.com (Shadrach Todd)
Subject: Re: Re[2]: BUG: fastcgi ssi output is not parsed for nested ssi's 
In-Reply-To: Your message of "Fri, 25 Apr 1997 16:05:31 EDT."
             <199704252005.QAA28342@binge.dev.pathfinder.com.pathfinder.com> 
Date: Mon, 28 Apr 1997 14:16:46 -0400
From: Stanley Gambarin <gambarin@OpenMarket.com>

	The following is the description of a potential security hole that
may occur if the parsing of the output of the CGIs is done for embedded SSIs.
Note that the following description contains a lot of IFs and is also highly
dependent on the server configuration.  It is only used to represent one 
potential security problem, but there maybe more involved ones.
	As for my personal opinion on the subject, this functionality should
be an optional one, since it provides more powerful features at the cost of the
potential security problems.

Configuration is as follows: (server dependent, of course)
	- a server is configured to allow the execution of the CGI scripts
by system users (i.e. a user can write their own CGI script)
	- server is running as process id of root
	- server performs minimalistic, if any, uid/gid checks 
			(this is implementation dependent)

Hole:
	- a user on the system would like to access the information in some
file, say /etc/passwd,  that he/she can not access due to the lack of 
permissions.  Executing a simple CGI which cats /etc/passwd is not possible,
as web server makes sure that CGI are executed as uid of the user.
	- a user writes a CGI program which outputs the following
	Content-type: text/x-server-parsed-html
	<!--#include file="/etc/passwd"-->
	- a user accesses the program from the netscape.

	Now, if the server parses output of the CGIs, it will issue a 
subrequest to process the new information.  Pending the implementation, 
it will either include the contents of the /etc/passwd (as web server is 
running as a root) or disallow the request.
	The problem with the above is to decide when should the subrequest
be allowed to proceed and when should it be denied (maybe all requests to the
same machine are denied, but remote requests (like redirection) is allowed).

	As I stated before, there are a lot of IFs and the actual problems
are highly dependent on server implementation, but the above is a possible 
example of the security hole.

						Hope that was of some help.
								Stanley.