Protecting Web Servers from Security Holes in Server-Side Includes by Jared Karro, Jie Wang, Division of Computer Science, University of North Carolina at Greensboro, Greensboro, NC 27402, USA, Jared Karro@uncg.edu, firstname.lastname@example.orgAll of the examples this paper sites are internal attacks. Controlling who can edit the Web site and what user Apache runs as completely negate the claimed problems.
Generally, when people talk about the security of a Web scripting language, they are referring to external attacks. No one will claim that a Web language is totally immune, but SSI has, historically, had the fewest issues of any such language.
Other claimed vulnerabilities:
- Server-Side Includes (SSI) Injection
- The authors provide no explanation of how the injection is to be accomplished. Setting the file system permissions so the Web server can't write to the Web pages and turning off Exec permission, which are standard procedures for securing an Apache site, should eliminate any possibility of this working.
- Perhaps they are referring to using the query string as a variable in an SSI command. Programmers must be cautioned to never do this without checking the content of the query string.