Protecting Web servers from security holes in server-side includes

Author

Karro, Jared ; Wang, Jie

Author_Institution

Div. of Comput. Sci., North Carolina Univ., Greensboro, NC, USA

fYear

1998

fDate

7-11 Dec 1998

Firstpage

103

Lastpage

111

Abstract

This paper first investigates and analyzes security holes concerning the use of server-side includes (SSI) in some of the most used Web server software packages. We show that, by exploiting features of SSI, one could seriously compromise Web server security. For example, we demonstrate how users can gain access to information they are not supposed to see, and how attackers can crash a Web server computer by having an HTML file execute a simple program. Such attacks can be made with no trace left behind. We have successfully carried out all the attacks described in this paper on dummy servers we set up for this investigation. We then suggest several practical security measures to prevent a Web server from such attacks

Keywords

computer network management; search engines; security of data; HTML file; Web server computer crash; Web server protection; Web server security; Web server software packages; attackers; dummy servers; information access; security holes; server-side includes; Computer networks; Computer science; Computer security; HTML; Information security; Java; Network servers; Protection; Web server; Web sites;

fLanguage

English

Publisher

ieee

Conference_Titel

Computer Security Applications Conference, 1998. Proceedings. 14th Annual

Conference_Location

Phoenix, AZ

ISSN

1063-9527

Print_ISBN

0-8186-8789-4

Type

conf

DOI

10.1109/CSAC.1998.738590

Filename

738590