Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SSI Injection Question

From: "Bluefish (P.Magnusson)" <11a () GMX NET>
Date: Sat, 2 Sep 2000 11:15:34 +0200
Erm :)

This is actually not as far fetched as you think. There are a number of
pages recommending you to setup .html to be SSI, mostly in order to allow
SSI on the index-page. [really stupid, the actuall solution is to add
index.shtml's as index-pages] This combined with that there are scripts
which creates .html files... *argh* (a number of wwwboards & alike)

You fail to realize how bad administrators & cgi-coders that there are out
there. Not that CGI is simple to secure, but many people seem to have
read a "DON'T DO" list and 'follow' it ;-)


What would happen if you passed a string like "<!--#include
virtual="/etc/password"-->"?


This is going to be server-dependent, but I don't know of any servers
that parse script output this way.  CGI output goes straight (more or
less) to the client, not piped through another scripting stage.


..:::::::::::::::::::::::::::::::::::::::::::::::::..
     http://www.11a.nu || http://bluefish.11a.nu
    eleventh alliance development & security team
Previous By Date Next
Previous By Thread Next

Current thread: