| VID |
210152 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
Web server on the host system is vulnerable to SSI(Server-Side Includes) Injection Attack.
SSI Injection (Server-side Include) is a server-side exploit technique that allows an attacker to send code into a web application, which will later be executed locally by the web server. SSI Injection exploits a web application's failure to sanitize user-supplied data before they are inserted into a server-side interpreted HTML file.
SSIs are directives present on Web applications used to feed an HTML page with dynamic contents. They are similar to CGIs, except that SSIs are used to execute some actions before the current page is loaded or while the page is being visualized. In order to do so, the web server analyzes SSI and validation of user's input, before supplying the page to the user.
* References:
https://www.owasp.org/index.php/Server-Side_Includes_(SSI)_Injection
* Platforms Affected:
Any HTTP server Any version
Any operating system Any version |
| Recommendation |
Take the following steps:
1. Make sure that the characters users can input is limited.
2. All characters except one that selected by developer should be filtered.
for instance, special characters should be modified as the following.
< -> %lt;
> -> >
" -> "
( -> (
) -> )
# -> #
& -> & |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
