SSI Security Threat(s)?
Firefox Wins Offline
Member
***
Posts: 164
Joined: Mar 2008
Post: #1
SSI Security Threat(s)?
The most secure way to operate is to disallow all SSI processing... ~Source

With 'private' (i.e. single-user not shared) hosting on a VPS or Dedi is using SSI less risky?*
*since secure file perms for individual users are not an issue?

(or try another way to ask)

If, for example, regarding this code:

PHP Code:
1
2
3
4
5
6
7
8
9
10
11
12
<?php   // This section is not a SSI...
            // This section is not a SSI...
require_once("./inc/local/local_vars.php");
define('IN_MYBB', 1);
require_once './global.php';
if($mybb->user['uid'] == 1) {
} else {
 error_no_permission();  } 

$command = "$rsyncpaths1";
system($command);
?>


'System', 'exec', etc. are often considered highly dangerous.
In the above code, no user input can effect the included $var(s) + only Super-admin can activate the little script, so...

1) Based on the info given:
That usage of 'system' commands is "safe", correct?

2) Also curious about SSI in general, should it be considered highly risky?
Thanks to anyone w/ security experience...

(This post was last modified: 12-20-2010 04:09 PM by Firefox Wins.)
12-20-2010 03:58 PM
Find all posts by this user Quote this message in a reply
ZiNgA BuRgA Online
Fag
*******
Posts: 3,357
Joined: Jan 2008
Post: #2
RE: SSI Security Threat(s)?
SSI isn't inherently insecure.  Yes, disabling it will probably make your system more secure, just like switching your server off and never turning it on probably makes it even more secure (though not very useful).
If you're not using SSI, it's probably a good idea not to enable it is all.

As for system/exec etc calls, if there is no way for the user to directly affect the variable you're sending to the function, it's probably okay.  That's a "probably" though, there can be other factors, for example, if they can modify the underlying executable (though chances are, if they can do that, they can probably modify scripts too).

My Blog
12-20-2010 05:24 PM
Find all posts by this user Quote this message in a reply
Firefox Wins Offline
Member
***
Posts: 164
Joined: Mar 2008
Post: #3
RE: SSI Security Threat(s)?
^^^
That verifies my current level of "experience" and related concerns, thanks ZB.  Smile

(12-20-2010 05:24 PM)ZiNgA BuRgA Wrote:  ...just like switching your server off and never turning it on probably makes it even more secure (though not very useful).

Yep, and some methods for repelling (almost) all bad-bots and spam will also keep out the search engines and many potential users.  Cocktail
(This post was last modified: 12-21-2010 09:14 AM by Firefox Wins.)
12-21-2010 09:13 AM
Find all posts by this user Quote this message in a reply

« Next Oldest | Next Newest »

 Standard Tools
Forum Jump: