CWE

Common Weakness Enumeration

A Community-Developed Dictionary of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > CWE List > CWE- Individual Dictionary Definition (2.6)  

Presentation Filter:

CWE-97: Improper Neutralization of Server-Side Includes (SSI) Within a Web Page

 
Improper Neutralization of Server-Side Includes (SSI) Within a Web Page
Weakness ID: 97 (Weakness Variant)Status: Draft
+ Description

Description Summary

The software generates a web page, but does not neutralize or incorrectly neutralizes user-controllable input that could be interpreted as a server-side include (SSI) directive.
+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Applicable Platforms

Languages

All

+ Common Consequences
ScopeEffect
Confidentiality
Integrity
Availability

Technical Impact: Execute unauthorized code or commands

+ Potential Mitigations

Phase: Implementation

Utilize an appropriate mix of white-list and black-list parsing to filter server-side include syntax from all input.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness BaseWeakness Base96Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
Development Concepts (primary)699
Research Concepts (primary)1000
ChildOfCategoryCategory896SFP Cluster: Tainted Input
Software Fault Pattern (SFP) Clusters (primary)888
+ Relationship Notes

This can be resultant from XSS/HTML injection because the same special characters can be involved. However, this is server-side code execution, not client-side.

+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERServer-Side Includes (SSI) Injection
WASC36SSI Injection
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time_of_Introduction
2008-09-08CWE Content TeamMITREInternal
updated Relationships, Other_Notes, Taxonomy_Mappings
2009-10-29CWE Content TeamMITREInternal
updated Other_Notes, Relationship_Notes
2010-02-16CWE Content TeamMITREInternal
updated Taxonomy_Mappings
2010-06-21CWE Content TeamMITREInternal
updated Description, Name, Type
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences
2012-05-11CWE Content TeamMITREInternal
updated Relationships
Previous Entry Names
Change DatePrevious Entry Name
2008-04-11Server-Side Includes (SSI) Injection
2010-06-21Failure to Sanitize Server-Side Includes (SSI) Within a Web Page
Page Last Updated: February 18, 2014