August 10th, 2003, 09:19 AM
How does SSI exploitation works?
August 10th, 2003, 07:03 PM
Re: SSI Exploitation
Thats not exactly the type of thing to be asking around here. Infact I think this is only half a step above asking how hotmail "hacking" works . But im bored so im just going to go ahead and answer your stupid ****ing question...
Originally posted here by Kulay
How does SSI exploitation works?
if I remember correctly... if there is a script that prints the output in a .shtml file then it might be possible to insert file includes, and if it has shity server configuration you've also got execution of commands. Below this is a very poor example of a attacker inserting SSI tags into the Referrer and User-Agent fields. Depending on whether the software outputs this information as text or in image form this could possably lead to a possible file includes or maybe even command execution.
su-2.05# telnet localhost 80
Connected to localhost.
Escape character is '^]'.
GET / HTTP/1.0
HTTP/1.1 200 OK
Date: Sun, 10 Aug 2003 00:0:00 GMT
I hope the lame question has been succesfully answered. And by the way dude, your welcome ya damn moron.
August 10th, 2003, 07:38 PM
so fisty eh |The|Specialist
He could also ask this question out of the "security" point of view so he won't make his scripts real insecure by not caring about ssi.
One example you gave is if the output is somehow stored into an .shtml file wich can have server side includes (ssi) enabled. That can be a way for lazy programmers to add files or commands into a simple .shtml file, without needing all kinds of cgi or other scripty things. You can for instance add header files with the logo of your website and the css thingys in it to the top of all shtml files, so you don't have to copy and paste it too all them. If you, however make a script that asks for a name or something with no input filtering and you put on the shtml page something like "Hi, <insert name here with some script>" a malicious user could insert a ssi tag (see thespecialists post) and get the /etc/passwd file on the page.
I know I explained this very shitty, but well... go search on google and you'll find a thousenth times better info then I could type here in hours.
August 10th, 2003, 07:47 PM
August 10th, 2003, 11:40 PM
my two cents:
SSI just like any other web technology, when used in the wrong way can be exploited. SSI for example can execute system commands. If we think the power a malicious person can do with this ability, the posibilitys are endless. This is why most free web hosts disable ssi. This is not nesisary that they dont trust you, but they dont trust anyone includeing your site visitors. When ssi statements such as exec are placed into a html document, these powers become available. Say you upload a new shtml document to the host, you could be the malicious one. Or you may not be malicious but maybe someone who signes your guestbook might.
Anyway an atacker can get a ssi enabled page to be parsed by the server, can exploit the server. Filling in a web form such as a guest book for example are common ways used to inject ssi into a already existing ssi document. I will not go into details on how to do this however.
August 11th, 2003, 07:53 AM
tanx, somhow ive learn something out of it. just for curiosity, is there any security for this?
August 11th, 2003, 10:36 AM
yes, disable ssi on the server side