Bug#703379: lighttpd don't interpret SSI commands

Mon, 18 Mar 2013 15:45:14 -0700 

Package: lighttpd
Version: 1.4.31-3
Severity: important

Dear Maintainer,

If you download a website which includes SSI commands from lighttpd, lighttpd
sometimes serve the command instead of interpreting it.
This only happen if you load a multiple files with HTTP/1.1 and compression. So
you have to enable mod_compression and you have use a modern browser (konqueror
or chromium not wget or curl) to reproduce this.
Since this happen not always you may have to reload 2 or 3 times to reproduce
it.

A minimalistic shtml file which cause this bug is this (Since some Mail-clients
interpret HTML I replaced < and > by [ and ]):
>[!DOCTYPE html]
>[html]
>[head]
>  [title]SSI-Generated[/title]
>  [link href="style.css" rel="stylesheet" type="text/css" /]
>[/head]
> [!--#exec cmd="echo '<hr>'" --]
>[/html]
(A link to a external stylsheet or JS file seams to be important to cause tis
bug.)

Since there are people who have secret data in their commands this can be realy
dangerous for some servers. (Something like --#exec cmd="mysql -p passwd [...]"
-- is not uncommon.)

Greetings,
wanne



-- System Information:
Debian Release: 7.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages lighttpd depends on:
ii  libattr1                    1:2.4.46-8
ii  libbz2-1.0                  1.0.6-4
ii  libc6                       2.13-38
ii  libfam0                     2.7.0-17
ii  libldap-2.4-2               2.4.31-1
ii  libpcre3                    1:8.30-5
ii  libssl1.0.0                 1.0.1e-1
ii  libterm-readline-perl-perl  1.0303-1
ii  lsb-base                    4.1+Debian8
ii  mime-support                3.52-1
ii  perl                        5.14.2-20
ii  zlib1g                      1:1.2.7.dfsg-13

Versions of packages lighttpd recommends:
pn  spawn-fcgi  <none>

Versions of packages lighttpd suggests:
pn  apache2-utils  <none>
ii  openssl        1.0.1e-1
pn  rrdtool        <none>

-- Configuration Files:
/etc/lighttpd/lighttpd.conf changed [not included]

-- no debconf information


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to