Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SSI Injection Question

From: David Schwartz <davids () WEBMASTER COM>
Date: Fri, 1 Sep 2000 10:33:41 -0700
Please excuse me if this has already been discussed, or I end up
sounding really stupid.

Imagine you had a CGI script (i.e search engine), that would return
input entered by the user to some sort of result page, for example,
"no matches for pretzel". Now, imagine again that this result had an
extention that was listed to be run over by the SSI interperator.

What would happen if you passed a string like "<!--#include
virtual="/etc/password"-->"?

When the string was printed to a result page would it then by parsed by
the SSI interperator?


        No.


The only reason I ask is because its not uncommon for sites to set
"AddType server-parsed .html", for the sake of having a universal
extention.


        .html != .cgi

        The web server doesn't go back and parse the output of the CGI script.
That's the CGI script's job. The same extension could not easily be made to
both launch a CGI script and somehow pipe the output of that script into the
SSI engine.

        DS
Previous By Date Next
Previous By Thread Next

Current thread: