DefenseCode

Server Side Includes

Risk type:HIGH

Description:

Server side includes (SSI) are small pieces of dynamic directives that the web server parses before serving the static HTML page to the user. They are an alternative to CGI programs that are used for simple tasks such as executing system commands (eg. current time), printing web server CGI environment variables, etc...

The attacker could inject data that is interpreted by SSI mechanisms, allowing him remote code execution.

Example:

HTML page could use SSI to list directory content:

<!--#exec cmd="ls -al" -->

If the page is vulnerable, the attacker could inject:

<!--#include virtual="/etc/passwd" -->

In a Unix based system, next time the page is loaded, the attacker would have the content of a password file.

Mitigation:

  • Disable web server’s SSI usage if not needed.
  • Correct validation and sanitization of user input. This includes omitting or encoding certain characters or strings that have the potential of being interpreted as a part of an SSI directive.
  • Use SUExec to have the page execute as the owner of the file instead of the web server user.
  • Set the OPTIONS IncludesNOEXEC in the global "access.conf" file or local ".htaccess" (Apache) file to deny SSI execution in directories that do not need them.

Further reading:

https://www.owasp.org/index.php/Server-Side_Includes_(SSI)_Injection
http://projects.webappsec.org/w/page/13246964/SSI%20Injection