Title :
Protecting Web servers from security holes in server-side includes
Author :
Karro, Jared ; Wang, Jie
Author_Institution :
Div. of Comput. Sci., North Carolina Univ., Greensboro, NC, USA
Abstract :
This paper first investigates and analyzes security holes concerning the use of server-side includes (SSI) in some of the most used Web server software packages. We show that, by exploiting features of SSI, one could seriously compromise Web server security. For example, we demonstrate how users can gain access to information they are not supposed to see, and how attackers can crash a Web server computer by having an HTML file execute a simple program. Such attacks can be made with no trace left behind. We have successfully carried out all the attacks described in this paper on dummy servers we set up for this investigation. We then suggest several practical security measures to prevent a Web server from such attacks
Keywords :
computer network management; search engines; security of data; HTML file; Web server computer crash; Web server protection; Web server security; Web server software packages; attackers; dummy servers; information access; security holes; server-side includes; Computer networks; Computer science; Computer security; HTML; Information security; Java; Network servers; Protection; Web server; Web sites;
Conference_Titel :
Computer Security Applications Conference, 1998. Proceedings. 14th Annual
Conference_Location :
Phoenix, AZ
Print_ISBN :
0-8186-8789-4
DOI :
10.1109/CSAC.1998.738590
