Cover V05, I11
Article
Sidebar 1

nov96.tar

Sidebar: Server Side Includes

What are Server Side Includes (SSIs)? SSIs are embedded in your HTML document and can execute or manipulate environment variables and file statistics. A typical SSI is in the form of <!-- include_command -->. If an HTML document contains SSIs, it will usually end in .shtml.

Here's an example of a file called test.shtml:

<HTML><body>
<h1> My page was last modified on </h1>
<!--#echo var="LAST MODIFIED" -->
</body></html>

In addition to echo, the commands are config, include, fsize, flastmod, and exec. The exec option makes SSIs very dangerous. exec executes a given command as the UID of the Web server. Imagine, for example, a typical guestbook that allows people to enter HTML commands in their message. What if someone entered:

<!--#exec cmd="/bin/rm -rf /" -->

Ack! You would have a big headache the next time someone browsed through the messages!

Or how about this:

<!--#exec cmd="find / -name foo -print" -->

That would perform a systemwide search for the files named foo. If someone pasted this a few hundred times in their html document, the server would come to a screeching halt.

A good rule of thumb is to disable Server Side Includes on your Web server - you can almost always find ways to work around them regardless of their convenience.

To see whether SSIs are disabled on NCSA and Apache servers, look in the file access.conf for the following bit of code and make sure that "Includes" is not in the option list. Here is an example with the Web server document root, but you should also check all defined directories:

# /home/www/docs being the document root
<Directory /home/www/docs>

# This may also be "None", "All", or any combination of
# "Indexes",
# "Includes", "FollowSymLinks", "ExecCGI", or "MultiViews".

Options Indexes FollowSymLinks
</Directory>

Also, check the srm.conf file for either of the following lines:

Addtype text/server-parsed-html .shtml
Addtype text/server-parsed-html .html

Comment out the lines to prevent further use of SSIs.

If you simply must have SSIs on your Web server, put "IncludesNOEXEC" in the Options list to disable the exec command. This will eliminate many of the dangers, but there will still be the threat of severe system lag. For example, consider a prankster who pastes the following line a hundred times in a guestbook:

<!-- #echo var = "LAST MODIFIED" -->

The server lag induced by hundreds of people viewing the page might just be enough to convince you to turn off SSIs completely.


 

© 2002 CMP Media LLC. All Rights Reserved.
www.sysadminmag.com