View Shtml Patched Now

SecRule ARGS "@contains ../" "id:1001,deny,msg:'Path Traversal in view.shtml'" SecRule ARGS "<!--#exec" "id:1002,deny,msg:'SSI injection attempt'" Case Study 1: The 2004 Gallery Hack A popular photo gallery script used view.shtml?img=photo1.jpg . Attackers changed the parameter to ../../../../config.inc – retrieving database credentials. The patch involved stripping slashes and adding a base directory. Case Study 2: SEO Spam via SSI Injection (2010) Hackers injected:

A patched server is a safe server. But a server without view.shtml at all is even better. Last updated: October 2024. References: Apache SSI documentation, OWASP Server-Side Includes Injection cheat sheet, CVE-2004-0521, and real-world incident responses. view shtml patched

SSI allows developers to dynamically generate content—such as headers, footers, or current dates—without using PHP or ASP. A typical SHTML file might contain directives like: SecRule ARGS "@contains

<FilesMatch "\.shtml$"> Options +Includes # Disable exec, config, and include virtual (if not needed) SSILegacyExprParser off # Alternatively, use mod_filter to strip exec: <IfModule mod_include.c> SSIEnable on SSIEndTag "-->" # Do NOT add +IncludesNOEXEC? Actually, that's what you want: Options +IncludesNOEXEC </IfModule> </FilesMatch> Use IncludesNOEXEC instead of Includes . This disables #exec and #include with virtual paths. Step 4: Remove SSI Entirely (Recommended for Modern Servers) If you don’t need SSI, remove the handler: Case Study 2: SEO Spam via SSI Injection

$base = '/var/www/includes/'; $file = realpath($base . $_GET['page'] . '.html'); if (strpos($file, $base) === 0 && file_exists($file)) readfile($file); else http_response_code(404);