Re: Re[2]: BUG: fastcgi ssi output is not parsed for nested ssi's

Carlos A. Pero (carlosp@ravenna.com)
Tue, 29 Apr 1997 10:01:04 -0500 (CDT)

Date: Tue, 29 Apr 1997 10:01:04 -0500 (CDT)
From: carlosp@ravenna.com (Carlos A. Pero)
To: Stanley Gambarin <gambarin@OpenMarket.com>
Subject: Re: Re[2]: BUG: fastcgi ssi output is not parsed for nested ssi's 
In-Reply-To: <199704281816.OAA02238@u4-138.openmarket.com>
Message-Id: <Pine.SOL.3.91.970429094432.8839A-100000@gallery.ravenna.com>

On Mon, 28 Apr 1997, Stanley Gambarin wrote:

> Hole:
> 	- a user on the system would like to access the information in some
> file, say /etc/passwd,  that he/she can not access due to the lack of 
> permissions.  Executing a simple CGI which cats /etc/passwd is not possible,
> as web server makes sure that CGI are executed as uid of the user.

Actually, /etc/passwd is world-readable, so a simple CGI to cat the 
contents is trivial to write, but let's assume that /etc/passwd is 
protected for the sake of this discussion.


> 	- a user writes a CGI program which outputs the following
> 	Content-type: text/x-server-parsed-html
> 	<!--#include file="/etc/passwd"-->
> 	- a user accesses the program from the netscape.
> 
> 	Now, if the server parses output of the CGIs, it will issue a 
> subrequest to process the new information.  Pending the implementation, 
> it will either include the contents of the /etc/passwd (as web server is 
> running as a root) or disallow the request.

First of all, I don't see a difference between executing this server-side 
include from within a CGI rather than in a plain HTML file itself.  Both 
are executed by the web server, running as the setuid user.  File 
permissions should be the same.

But the overall problem with your "hole", Stanley, is that the 
server-side include syntax doesn't work this way.  From the OpenMarket 
Secure WebServer 2.0 manual, page 62:

---------
include
   The command include inserts the text of a document into the parsed
   document.  Any included file is subject to the usual access control.
   This command accepts two tags:

   virtual
      gives a virtual path to a document on the server.  You must access
      a normal file this way.  You cannot access a CGI script in this 
      fashion; however, you an [sic] access another parsed document.
      For example:
        virtual="user/text.html"

   file
      gives a pathname relative to the current directory.  The path 
      ../ cannot be used in this pathname, nor can absolute paths
      be used.  As for virtual, you can access other parsed documents,
      but not CGI scripts.  For example:
        <!--#include file="text.html" -->
----------

So you see, the SSI that you use as an example:

   <!--#include file="/etc/passwd" -->

simply does not work.  Tested with OpenMarket Secure WebServer 2.0, in 
both CGI output and plain HTML file usage, yields the following error:

   <!--# (#114) include file not found: /etc/passwd -->


-Carlos

---------------------------------------------------
Carlos A. Pero        |   VP Technology
carlosp@ravenna.com   |   The Ravenna Consortium
---------------------------------------------------
The Ravenna Consortium      http://www.ravenna.com/
---------------------------------------------------