Important Notice: Our web hosting provider recently started charging us for additional visits, which was unexpected. In response, we're seeking donations. Depending on the situation, we may explore different monetization options for our Community and Expert Contributors. It's crucial to provide more returns for their expertise and offer more Expert Validated Answers or AI Validated Answers. Learn more about our hosting issue here.

What if SSIs are turned on but includes are stripped from user input?

includes input ssis stripped turned user
0
Posted

What if SSIs are turned on but includes are stripped from user input?

0 CommentsAdd a Comment

1 Answer

0

If SSIs are allowed, you may still have a way to use them. If there is another method of user input, such as a completely separate script, it could possibly be exploited. Granted, if you could access the system via a separate script you probably won’t be messing with SSI, but if an anon FTP “/incoming” directory is in place and you can view an uploaded file via your browser, you could include the SSI stuff into an HTML file you’ve uploaded and then access it to run the SSI. Also, local users to the web server could do the same things.

0 CommentsAdd a Comment

Related Questions

What is your question?

*Sadly, we had to bring back ads too. Hopefully more targeted.

Experts123