[thelist] including html dilemma
David.Cantrell at Gunter.AF.mil
David.Cantrell at Gunter.AF.mil
Tue Sep 10 13:03:01 CDT 2002
>and secondly, how is SSI a security issue? i'd be interested to know
>because i can't say i've heard of that before. (that of course doesn't
>mean it's not true, it just means that i don't know *everything*.)
We just got bit by migration to Windows.NET server. Apparently it comes
"more secure" out of the box, and one of the features is eliminating the
ability to do SSI with relative file paths, e.g. the following is disabled
by default:
<!--#include file="../foo/bar.html"-->
This is a setting that can be turned on, I believe on a per-virtual-site
basis.
My guess, it prevents joe-blow-user-turned-hacker from doing this:
<!--#include file="../../../../../sensitive_file_i_shouldn't_see"-->
Or something similar.
This is blue-sky-theory for me, but it makes sense.
-dave
More information about the thelist
mailing list