logo

Server Side Include

  • Risk:
  • High

  • Type:
  • Active
Summary

Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed.

Solution

Do not trust client side input and enforce a tight check in the server side. Disable server side includes. Refer to manual to disable Sever Side Include. Use least privilege to run your web server or application server. For Apache, disable the following: Options Indexes FollowSymLinks Includes AddType application/x-httpd-cgi .cgi AddType text/x-server-parsed-html .html

References

https://httpd.apache.org/docs/current/howto/ssi.html

Free security scan for your website