14th Annual Computer Security Applications Conference
December 7-11, 1998
Phoenix, Arizona


Protecting Web Servers from Security Holes in Server-Side Includes

Jared Karro and Jie Wang
Division of Computer Science
University of North Carolina
Greensboro, NC 27402, USA

This paper first investigates and analyzes security holes concerning the use of Server-Side Includes (SSI) in some of the most used Web server software packages. We show that, by exploiting features of SSI, one could seriously compromise Web server security. For example, we demonstrate how users can gain access to information they are not supposed to see, and how attackers can crash a Web server computer by having an HTML file execute a simple program. Such attacks can be made with no trace left behind. We have successfully carried out all the attacks described in this paper on dummy servers we set up for this investigation. We then suggest several practical security measures to prevent a Web server from such attacks.