eXtropia: the open web technology company
Technology | Support | Tutorials | Development | About Us | Users | Contact Us
Download resources
 ::   Free applications
 ::   Download license
 ::   Documentation
 ::   Free Support

Download FAQs
 ::   What do I do with a .tar file?
 ::   Are your products secure?
 ::   Do I need a web server to use your products?
 ::   What is Perl and do I need it to use your products?
 ::   What is the ADT?
 ::   What About Support?
WebGuestbook
There is no security hole  
Ever since I wrote the CERT bulletin about the Guestbook Security Problem, I have been getting tons of email from people who have not read the bulletin or the README very carefully.

People have sent email ranging from "you bastard" to "when will you fix the 'bug'" to "how do I patch this hole".

So, I am going to spell things out once again in hopes that people will leave me an CERT alone. :)

Well, not exactly!

For 99% of guestbook users, there should be no concern about a security hole. The hole only occurs for users who:

  • Use SSI (Server Side Include) technology on their website
  • Have enabled SSI in the directory containing the guestbook.html file
  • Have enabled the use of HTML tags in the setup file
  • Have not included keywords like "exec" in their @bad_words list in the setup file.
Further, serious dammage can only occur if:
  • Your server is running as root (NOBODY SHOULD EVER DO THIS ANYWAYS)
  • Your server is not running as root, but you have not carefully set the permissions on the files in your web tree.
As you can see, there are quite a few "ifs" there. As I said, the security hole affects very few people.

HOWEVER

Just to be safe, the setup file includes two variables which can be used to disable SSI whether or not you have it enabled. These are: $allow_html and @bad_words.

If you are concerned about security, turn off the use of HTML in your guestbook with the line

$allow_html = "no";

This will disable the use of the comment tag which is used to denote SSI commands. Or, add SSI keywords like "exec" to the @bad_words array using the syntax:

@bad_words = ("exec");

Without the "exec" command users will not be able to execute server functions. At any rate, I recommend the follwong things:

  • Do not use SSI unless you really know what you are doing
  • Do not run your web server as root.
  • When you are done editing HTML or CGI files, set permissions to not be writable by anyone.
  • Back up everything!
  • Keep in mind that every piece of software can be hacked. You are never safe, but by learning more, you can better your chances.
However, if you must disregard these suggestions, simply dissallow the use of HTML and you'll be just fine. Whatever else, don't panic!