[pkg-lighttpd] Bug#703379: lighttpd don't interpret SSI commands
Fabian Wannenmacher
wannespam at googlemail.com
Mon Mar 18 22:42:56 UTC 2013
Package: lighttpd
Version: 1.4.31-3
Severity: important
Dear Maintainer,
If you download a website which includes SSI commands from lighttpd, lighttpd
sometimes serve the command instead of interpreting it.
This only happen if you load a multiple files with HTTP/1.1 and compression. So
you have to enable mod_compression and you have use a modern browser (konqueror
or chromium not wget or curl) to reproduce this.
Since this happen not always you may have to reload 2 or 3 times to reproduce
it.
A minimalistic shtml file which cause this bug is this (Since some Mail-clients
interpret HTML I replaced < and > by [ and ]):
>[!DOCTYPE html]
>[html]
>[head]
> [title]SSI-Generated[/title]
> [link href="style.css" rel="stylesheet" type="text/css" /]
>[/head]
> [!--#exec cmd="echo '<hr>'" --]
>[/html]
(A link to a external stylsheet or JS file seams to be important to cause tis
bug.)
Since there are people who have secret data in their commands this can be realy
dangerous for some servers. (Something like --#exec cmd="mysql -p passwd [...]"
-- is not uncommon.)
Greetings,
wanne
-- System Information:
Debian Release: 7.0
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages lighttpd depends on:
ii libattr1 1:2.4.46-8
ii libbz2-1.0 1.0.6-4
ii libc6 2.13-38
ii libfam0 2.7.0-17
ii libldap-2.4-2 2.4.31-1
ii libpcre3 1:8.30-5
ii libssl1.0.0 1.0.1e-1
ii libterm-readline-perl-perl 1.0303-1
ii lsb-base 4.1+Debian8
ii mime-support 3.52-1
ii perl 5.14.2-20
ii zlib1g 1:1.2.7.dfsg-13
Versions of packages lighttpd recommends:
pn spawn-fcgi <none>
Versions of packages lighttpd suggests:
pn apache2-utils <none>
ii openssl 1.0.1e-1
pn rrdtool <none>
-- Configuration Files:
/etc/lighttpd/lighttpd.conf changed [not included]
-- no debconf information
More information about the pkg-lighttpd-maintainers
mailing list