Vulnerability Development mailing list archives
Re: SSI Injection Question
From: "Bluefish (P.Magnusson)" <11a () GMX NET>
Date: Sat, 2 Sep 2000 11:15:34 +0200
Erm :) This is actually not as far fetched as you think. There are a number of pages recommending you to setup .html to be SSI, mostly in order to allow SSI on the index-page. [really stupid, the actuall solution is to add index.shtml's as index-pages] This combined with that there are scripts which creates .html files... *argh* (a number of wwwboards & alike) You fail to realize how bad administrators & cgi-coders that there are out there. Not that CGI is simple to secure, but many people seem to have read a "DON'T DO" list and 'follow' it ;-)
What would happen if you passed a string like "<!--#include virtual="/etc/password"-->"?This is going to be server-dependent, but I don't know of any servers that parse script output this way. CGI output goes straight (more or less) to the client, not piped through another scripting stage.
..:::::::::::::::::::::::::::::::::::::::::::::::::.. http://www.11a.nu || http://bluefish.11a.nu eleventh alliance development & security team
Current thread:
- SSI Injection Question Max (Sep 01)
- Re: SSI Injection Question David Schwartz (Sep 01)
- Re: SSI Injection Question Mark Rafn (Sep 01)
- Re: SSI Injection Question Bluefish (P.Magnusson) (Sep 03)
- Re: SSI Injection Question Joe (Sep 01)