Description
guestbook.pl cleanses user-inserted SSI commands by removing text between "<!--" and "-->" separators, which allows remote attackers to execute arbitrary commands when guestbook.pl is run on Apache 1.3.9 and possibly other versions, since Apache allows other closing sequences besides "-->".
Affected products
- apache / http_server1.3.9 – 1.3.9
- matt_wright / matt_wright_guestbook2.3 – 2.3