Ever since I wrote the CERT bulletin about the Guestbook Security Problem,
I have been getting tons of email from people who have not read the
bulletin or the README very carefully.
People have sent email ranging from "you bastard" to "when will you
fix the 'bug'" to "how do I patch this hole".
So, I am going to spell things out once again in hopes that people will
leave me an CERT alone. :)
Well, not exactly!
For 99% of guestbook users, there should be no concern about a security
hole. The hole only occurs for users who:
Further, serious dammage can only occur if:
- Use SSI (Server Side Include) technology on their website
- Have enabled SSI in the directory containing the guestbook.html file
- Have enabled the use of HTML tags in the setup file
- Have not included keywords like "exec" in their @bad_words list in the
As you can see, there are quite a few "ifs" there. As I said, the
security hole affects very few people.
- Your server is running as root (NOBODY SHOULD EVER DO THIS ANYWAYS)
- Your server is not running as root, but you have not carefully set the
permissions on the files in your web tree.
Just to be safe, the setup file includes two variables which can be used
to disable SSI whether or not you have it enabled. These are: $allow_html
If you are concerned about security, turn off the use of HTML in your
guestbook with the line
$allow_html = "no";
This will disable the use of the comment tag which is used to
denote SSI commands. Or, add SSI keywords like "exec" to the @bad_words
array using the syntax:
@bad_words = ("exec");
Without the "exec" command users will not be able to execute server
functions. At any rate, I recommend the follwong things:
However, if you must disregard these suggestions, simply dissallow the use
of HTML and you'll be just fine. Whatever else, don't panic!
- Do not use SSI unless you really know what you are doing
- Do not run your web server as root.
- When you are done editing HTML or CGI files, set permissions to not be
writable by anyone.
- Back up everything!
- Keep in mind that every piece of software can be hacked. You are
never safe, but by learning more, you can better your chances.