Vulnerability Development mailing list archives
Re: SSI Injection Question
From: Mark Rafn <dagon () DAGON NET>
Date: Fri, 1 Sep 2000 10:59:07 -0700
On Fri, 1 Sep 2000, Max wrote:
Please excuse me if this has already been discussed, or I end up sounding really stupid.
[excused, but I request that some exploration be done before posting. This is answered for Apache in the FAQ F.9.]
Imagine you had a CGI script (i.e search engine), that would return input entered by the user to some sort of result page, for example, "no matches for pretzel". Now, imagine again that this result had an extention that was listed to be run over by the SSI interperator. What would happen if you passed a string like "<!--#include virtual="/etc/password"-->"?
This is going to be server-dependent, but I don't know of any servers that parse script output this way. CGI output goes straight (more or less) to the client, not piped through another scripting stage. -- Mark Rafn dagon () dagon net <http://www.dagon.net/>
Current thread:
- SSI Injection Question Max (Sep 01)
- Re: SSI Injection Question David Schwartz (Sep 01)
- Re: SSI Injection Question Mark Rafn (Sep 01)
- Re: SSI Injection Question Bluefish (P.Magnusson) (Sep 03)
- Re: SSI Injection Question Joe (Sep 01)