Thursday, March 4, 2021

Apache SSI, is it secure?

Various authors have challenged Apache SSI security. For example:

Protecting Web Servers from Security Holes in Server-Side Includes by Jared Karro, Jie Wang, Division of Computer Science, University of North Carolina at Greensboro, Greensboro, NC 27402, USA, Jared Karro@uncg.edu, wang@uncg.edu
All of the examples this paper sites are internal attacks. Controlling who can edit the Web site and what user Apache runs as completely negate the claimed problems.

Generally, when people talk about the security of a Web scripting language, they are referring to external attacks. No one will claim that a Web language is totally immune, but SSI has, historically, had the fewest issues of any such language.

Other claimed vulnerabilities:


  • Server-Side Includes (SSI) Injection
    • The authors provide no explanation of how the injection is to be accomplished. Setting the file system permissions so the Web server can't write to the Web pages and turning off Exec permission, which are standard procedures for securing an Apache site, should eliminate any possibility of this working.
    • Perhaps they are referring to using the query string as a variable in an SSI command. Programmers must be cautioned to never do this without checking the content of the query string.
Posted by 0 comments

Thoughts on Chromebook

In particular, Acer CB515.

We have retired our desktop computers, a Mac Mini and the mid-tower running Ubuntu, in favor of Acer Chromebooks. Yes, there is the concern about being logged into Google all the time. Offsetting that are the following pluses:


  •     Low price ($300, Oct. 2019)
  •     Simple   
  •     Excellent performance
    •         Dozens of browser tabs
    •         Half a dozen or more apps
    •         Slow loading Linux apps...but once loaded performance is excellent
  •         Run most Android apps
  •  Multiple desktops (with a dedicated key for creating and switching - F5 on external keyboard) and separate desktops for each display
    • With one external monitor and the laptop screen, that's 4 desktops each for a total of 8
  •         Multiple displays, mirrored or extended desktop, user choice
  •         Run Debian compatible Linux apps
  •         Special keys for search and multiple desktops
  •     Works with most printers, either directly or via Google Cloudprint
    • Better than Linux
  • Has Penguin Linux available. Most things seem to work.
    • Thunderbird
    • Firefox
    • Gimp
    • grsync
    • Missing:
      • apturl
  •     Integrates with Android smart phones
    • Unlock
    • Text messages
  •     Hardware:
    •         All solid state
    •         Display full 1080 15.6" screen with excellent color and viewing angle
    •         Good speakers and keyboard
    •         Lots of ports
    •             USB 3 (2)
    •             USB C (2)
    •             HDMI (external monitor)
    •             Headphones
    •         MicroSD slot
    •         Brushed aluminum case with strong screen hinge (very similar to Apple MacBook Pro)
      • Slim
      • Lightweight
      • Note: screen hinge failed in a little over a year
    •         Touchscreen
    • Large touchpad with 2-finger support
      • 2-finger drag
      • pinch and zoom
    •         Long battery life
    •         Kensington lock slot
Even though it has only 32GB of built in eMMC, the MicroSD slot expands that substantially. Huge external drives can be connected to the USB C.
Posted by 0 comments
Subscribe to: Posts (Atom)