WebApp Sec mailing list archives
Re: #include file tag in HTML: possible issues?
From: Jon Hart <jhart () spoofed org>
Date: Mon, 16 Jan 2006 18:04:17 -0500
On Fri, Jan 13, 2006 at 04:21:23PM +0100, Giuseppe DELL'ERBA wrote:
Hi all, I have to evaluate from security point of view an application that is going to add in its template pages the #include file tag. This will allow a section of code to be inserted in the page, and the code that is inserted may be stored in an external file. Do you think this feature can introduce possible security threats? And, eventually, the remediation needed?
Assuming Apache, I can think of a number of ways this could go wrong. The two most worthy points are the "exec" element and using any other SSI elements that can or are forced to used data provided by the user. If using exec, follow the same procedures that you would in any other language when calling the shell -- be very paranoid. Use fully-qualified paths, use data sent via the user extremely carefully if at all, etc. The remainder of the SSI elements have some interesting XSS possiblities, especially when you consider the environment variables available to Apache (http://www.zytrax.com/tech/web/env_var.htm seems to be a good list). If you read Apache docs for mod_include, there is a lot of functionality there that could certaily give someone coding the HTML to shoot themselves in the foot fairly easily. I also seem to recall something a while back whereby if a site uses SSI and a particular page using SSI is vulnerable to XSS, you can potentially inject your own SSI tags at which point it is game over. I don't believe this was in Apache. -jon
Attachment:
signature.asc
Description: Digital signature
Current thread:
- #include file tag in HTML: possible issues? Giuseppe DELL'ERBA (Jan 14)
- Re: #include file tag in HTML: possible issues? Aman Raheja (Jan 15)
- RE: #include file tag in HTML: possible issues? Giuseppe DELL'ERBA (Jan 17)
- Re: #include file tag in HTML: possible issues? Jon Hart (Jan 17)
- <Possible follow-ups>
- RE: #include file tag in HTML: possible issues? Giuseppe DELL'ERBA (Jan 20)
- Re: #include file tag in HTML: possible issues? Aman Raheja (Jan 15)