MyBB Hacks

MyBB Hacks > Coding > SSI Security Threat(s)?
Full Version: SSI Security Threat(s)?
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

Firefox Wins

12-20-2010, 03:58 PM
The most secure way to operate is to disallow all SSI processing... ~Source

With 'private' (i.e. single-user not shared) hosting on a VPS or Dedi is using SSI less risky?*
*since secure file perms for individual users are not an issue?

(or try another way to ask)

If, for example, regarding this code:

PHP Code: 
<?php   // This section is not a SSI...
            // This section is not a SSI...
require_once("./inc/local/local_vars.php");
define('IN_MYBB', 1);
require_once './global.php';
if($mybb->user['uid'] == 1) {
} else {
 error_no_permission();  } 

$command = "$rsyncpaths1";
system($command);
?>


'System', 'exec', etc. are often considered highly dangerous.
In the above code, no user input can effect the included $var(s) + only Super-admin can activate the little script, so...

1) Based on the info given:
That usage of 'system' commands is "safe", correct?

2) Also curious about SSI in general, should it be considered highly risky?
Thanks to anyone w/ security experience...

ZiNgA BuRgA

12-20-2010, 05:24 PM
SSI isn't inherently insecure.  Yes, disabling it will probably make your system more secure, just like switching your server off and never turning it on probably makes it even more secure (though not very useful).
If you're not using SSI, it's probably a good idea not to enable it is all.

As for system/exec etc calls, if there is no way for the user to directly affect the variable you're sending to the function, it's probably okay.  That's a "probably" though, there can be other factors, for example, if they can modify the underlying executable (though chances are, if they can do that, they can probably modify scripts too).

Firefox Wins

12-21-2010, 09:13 AM
^^^
That verifies my current level of "experience" and related concerns, thanks ZB.  Smile

(12-20-2010 05:24 PM)ZiNgA BuRgA Wrote: [ -> ]...just like switching your server off and never turning it on probably makes it even more secure (though not very useful).

Yep, and some methods for repelling (almost) all bad-bots and spam will also keep out the search engines and many potential users.  Cocktail
MyBB Hacks > Coding > SSI Security Threat(s)?
Reference URL's