Re: #include file tag in HTML: possible issues?

[Jon Hart <jhart () spoofed org>]

On Fri, Jan 13, 2006 at 04:21:23PM +0100, Giuseppe DELL'ERBA wrote:
> Hi all,
>
> I have to evaluate from security point of view an application that is
> going to add in its template pages the #include file tag.  This will
> allow a section of code to be inserted in the page, and the code that
> is inserted may be stored in an external file.  
>
> Do you think this feature can introduce possible security threats?
> And, eventually, the remediation needed?

Assuming Apache, I can think of a number of ways this could go wrong.
The two most worthy points are the "exec" element and using any other
SSI elements that can or are forced to used data provided by the user.

If using exec, follow the same procedures that you would in any other
language when calling the shell -- be very paranoid.  Use
fully-qualified paths, use data sent via the user extremely carefully if
at all, etc.

The remainder of the SSI elements have some interesting XSS
possiblities, especially when you consider the environment variables
available to Apache (http://www.zytrax.com/tech/web/env_var.htm seems to
be a good list).

If you read Apache docs for mod_include, there is a lot of functionality
there that could certaily give someone coding the HTML to shoot
themselves in the foot fairly easily.

I also seem to recall something a while back whereby if a site uses SSI
and a particular page using SSI is vulnerable to XSS, you can
potentially inject your own SSI tags at which point it is game over.
I don't believe this was in Apache.

-jon

Attachment: signature.asc
Description: Digital signature