[Javascript] ssi, layers, table alternative to frames

David T. Lovering dlovering at gazos.com
Mon Apr 14 23:21:45 CDT 2003 

Uh... maybe not.  Unpatched software (or even heavily patched software) is
not my favorite thing on the security hit-parade either.  I'm not going to
debate which security issue is the one of greatest concern -- there are guys
at CERT and CIAC who get paid a hell of a lot more than I do to think about
that.  However, just imagine for a moment if someone could force an SSI
to achieve the following result:

<tt>
<!--#exec cmd="cat /etc/passwd" -->
</tt>

Mind you, it wouldn't execute worth a darn, but it sure would whet the appetites 
of all those chaps with cracker.2.0.1 and the like waiting in anticipation.  I
deliberately picked one of the more obvious cases of abusing an SSI on a blatantly
misconfigured web server [which isn't a very fair comparison], but even some
innocuous SSI's can be "turned" by exotic syntax tricks into doing some dirty work.

Well, now that we're 180 miles away from JavaScript land, I think I'll rest a
spell, and wait for the NSA guys to knock on my door.

-- Dave Lovering

Michael Dougherty wrote:
> 
> More inherently insecure than unpatched software?  I can't understand how
> SSI is any more dangerous in a controlled environment than any other kind of
> active content.  <!-- #include virtual="/inc/TooLazyToRetype.htm" -->
> shouldn't be posing much security threat.  http://url/crackers/utility.asp
> would be a far worse thing to have running.  If this is listed as a drawback
> to using SSI, then i would suggest the administrator just disconnect the
> ethernet from the box or turn it off altogether...
> 
> "Just a thought"
> 
> -----Original Message-----
> From: javascript at LaTech.edu [mailto:javascript at LaTech.edu]
> Sent: Monday, April 14, 2003 9:23 PM
> To: javascript at latech.edu
> Subject: Re: [Javascript] ssi, layers, table alternative to frames
> 
> As an added downside of SSI's -- they are NOTORIOUSLY insecure.  When I
> first
> started honing my teeth on browser exploits for my computer security
> training,
> the very start of the discussion was on the many easy and exciting ways to
> crack a system that had SSI's in place and operational.  Although I've
> forgotten
> much of what I learned during that series of CSI seminars, the frightening
> simplicity of the exploits involved still sends shivers up my spine --
> particularly
> when I hear well-meaning folks relying on those self-same server-side
> includes
> today.  (Sort of the same frisson I get from finding someone enabling
> anonymous
> FTP on a host that doesn't have backwards-path exclusion turned on).
> 
> When I look through the latest Apache "Black Book", it still warns against
> enabling
> SSI's except for the simplest of things.  Most military and government
> systems
> have a flat-out edict against SSI's, period -- for precisely that reason.
> Next to
> buffer-overflow exploits, SSI's are a hacker's (oops! I mean a
> "cracker's") best
> friend.
> 
> -- Dave Lovering
> 
> P.S: I like frames too, and it took me a long time to learn to say that!
> 
> "McCoy, Thomas" wrote:
> >>
> >> I love frames.  Seriously!
> >>
> >> *ducks to avoid flaming*
> >>
> >> I choose frames over SSI on the library's site because our server that
> >> processed the includes is SLOW...  SSI processing added 3 seconds on
> >each
> >> page load :(  I might be in the minority (having an ancient server),
> >but I'd
> >> test the load speed before committing to anything.  The delay wasn't too
> >> noticeable until we went live... all those page requests made the
> >server go
> >> chugga-chugga-chugga :(
> >>
> >>
> >> Sincerely,
> >> Thomas McCoy
> >> www.city.newport-beach.ca.us/nbpl/
> >>
> >>
> >> -----Original Message-----
> >>
> >> I'm sure you're already aware of the problems associated with using
> >> frames...
> >> _______________________________________________
> >> Javascript mailing list
> >> Javascript at LaTech.edu
> >> https://lists.LaTech.edu/mailman/listinfo/javascript
> _______________________________________________
> Javascript mailing list
> Javascript at LaTech.edu
> https://lists.LaTech.edu/mailman/listinfo/javascript
> 
> _______________________________________________
> Javascript mailing list
> Javascript at LaTech.edu
> https://lists.LaTech.edu/mailman/listinfo/javascript

More information about the Javascript mailing list