Vulnerability Development mailing list archives
Re: SSI Injection Question
From: David Schwartz <davids () WEBMASTER COM>
Date: Fri, 1 Sep 2000 10:33:41 -0700
Please excuse me if this has already been discussed, or I end up sounding really stupid. Imagine you had a CGI script (i.e search engine), that would return input entered by the user to some sort of result page, for example, "no matches for pretzel". Now, imagine again that this result had an extention that was listed to be run over by the SSI interperator. What would happen if you passed a string like "<!--#include virtual="/etc/password"-->"? When the string was printed to a result page would it then by parsed by the SSI interperator?
No.
The only reason I ask is because its not uncommon for sites to set "AddType server-parsed .html", for the sake of having a universal extention.
.html != .cgi The web server doesn't go back and parse the output of the CGI script. That's the CGI script's job. The same extension could not easily be made to both launch a CGI script and somehow pipe the output of that script into the SSI engine. DS
Current thread:
- SSI Injection Question Max (Sep 01)
- Re: SSI Injection Question David Schwartz (Sep 01)
- Re: SSI Injection Question Mark Rafn (Sep 01)
- Re: SSI Injection Question Bluefish (P.Magnusson) (Sep 03)
- Re: SSI Injection Question Joe (Sep 01)