|
Failure to Sanitize Server-Side Includes (SSI) Within a Web Page Status: Draft Weakness ID: 97 (Weakness Base)Description Summary The software fails to adequately filter server-side include (control-plane) syntax from user-controlled input (data plane) and then allows potentially injected server-side includes to be acted upon. Potential Mitigations Implementation Utilize an appropriate mix of white-list and black-list parsing to filter server-side include syntax from all input. Other Notes This can be resultant from XSS/HTML injection because the same special characters can be involved. However, this is server-side code execution, not client-side. Relationships
Taxonomy Mappings
Applicable Platforms Languages All Time of Introduction Architecture and Design ImplementationRelated Attack Patterns
Content History Submissions PLOVER. (Externally Mined) Modifications Eric Dalci. Cigital. 2008-07-01. (External) updated Time_of_Introduction CWE Content Team. MITRE. 2008-09-08. (Internal) updated Relationships, Other_Notes, Taxonomy_Mappings Previous Entry Names Server-Side Includes (SSI) Injection (changed 2008-04-11) |
|
|
|||