Tuesday, July 19, 2011

HTML Server Side Include

SkyHi @ Tuesday, July 19, 2011
Solution:
1. Use XbitHack on , but you have to rewrite the /html/cgi-bin/ cgi scripts to javascript because of vulnerability https://www.owasp.org/index.php/Server-Side_Includes_%28SSI%29_Injection
 <Directory /var/www/>
                ##includes addded by d
               #$Options -Indexes FollowSymLinks MultiViews +Includes
                Options -Indexes FollowSymLinks MultiViews +IncludesNOEXEC
                #AllowOverride None
                AllowOverride All
                Order allow,deny
                allow from all
                #AddType text/html .shtml
                #AddOutputFilter INCLUDES .html .shtml
                XbitHack on
        </Directory>

<Directory "/var/www/html/whitt.com/html">
    Options FollowSymLinks +Includes
    AllowOverride All
    AddType text/html .shtml
    DirectoryIndex index.php index.html index.html.var index.shtml
</Directory>

Create a SSI test file and save it under /var/www/ssi-test.shtml.
Test it works
<html>
<head>
<title>SSI Test Page
</head>
<body>
<!--#echo var="DATE_LOCAL" -->
</body>
</html>

2. use mod_rewrite, http://corz.org/serv/tricks/htaccess2.php to rewrite php to html, this could have you penalized by the search engines.
REFERENCES
//IncludesNOEXEC
//How to use SSI