Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Vulnerability Development: Re: SSI Injection Question

Re: SSI Injection Question

From: David Schwartz <davids_at_WEBMASTER.COM>
Date: Fri, 1 Sep 2000 10:33:41 -0700

> Please excuse me if this has already been discussed, or I end up
> sounding really stupid.
>
> Imagine you had a CGI script (i.e search engine), that would return
> input entered by the user to some sort of result page, for example,
> "no matches for pretzel". Now, imagine again that this result had an
> extention that was listed to be run over by the SSI interperator.
>
> What would happen if you passed a string like "<!--#include
> virtual="/etc/password"-->"?
>
> When the string was printed to a result page would it then by parsed by
> the SSI interperator?

        No.

> The only reason I ask is because its not uncommon for sites to set
> "AddType server-parsed .html", for the sake of having a universal
> extention.

        .html != .cgi

        The web server doesn't go back and parse the output of the CGI script.
That's the CGI script's job. The same extension could not easily be made to
both launch a CGI script and somehow pipe the output of that script into the
SSI engine.

        DS
Received on Sep 02 2000

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos