Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: #include file tag in HTML: possible issues?

from [Jon Hart] Network Security [Permanent Link]
Subject: Re: #include file tag in HTML: possible issues?
Date: Mon, 16 Jan 2006 18:04:17 -0500 
On Fri, Jan 13, 2006 at 04:21:23PM +0100, Giuseppe DELL'ERBA wrote:

Hi all,

I have to evaluate from security point of view an application that is
going to add in its template pages the #include file tag.  This will
allow a section of code to be inserted in the page, and the code that
is inserted may be stored in an external file.  

Do you think this feature can introduce possible security threats?
And, eventually, the remediation needed?


Assuming Apache, I can think of a number of ways this could go wrong.
The two most worthy points are the "exec" element and using any other
SSI elements that can or are forced to used data provided by the user.

If using exec, follow the same procedures that you would in any other
language when calling the shell -- be very paranoid.  Use
fully-qualified paths, use data sent via the user extremely carefully if
at all, etc.

The remainder of the SSI elements have some interesting XSS
possiblities, especially when you consider the environment variables
available to Apache (http://www.zytrax.com/tech/web/env_var.htm seems to
be a good list).

If you read Apache docs for mod_include, there is a lot of functionality
there that could certaily give someone coding the HTML to shoot
themselves in the foot fairly easily.

I also seem to recall something a while back whereby if a site uses SSI
and a particular page using SSI is vulnerable to XSS, you can
potentially inject your own SSI tags at which point it is game over.
I don't believe this was in Apache.

-jon

Attachment: signature.asc
Description: Digital signature

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Mambo File Inclusion Attacks, Mark Ryan del Moral Talabis
Next by Date:  Re: Re: notice: mambo scanner, dontbugme
Previous by Thread:  RE: #include file tag in HTML: possible issues?, Giuseppe DELL'ERBA
Next by Thread:  RE: #include file tag in HTML: possible issues?, Giuseppe DELL'ERBA
Indexes:  [Date] [Thread] [Top] [All Lists]