CWE-97: Improper Neutralization of Server-Side Includes (SSI) Within a Web Page
Weakness ID: 97
Abstraction: Variant
Status: Draft
Presentation Filter:
Description
Description Summary
The software generates a web page, but does not neutralize or incorrectly neutralizes user-controllable input that could be interpreted as a server-side include (SSI) directive.
Time of Introduction
Architecture and Design
Implementation
Applicable Platforms
Languages
All
Common Consequences
Scope
Effect
Confidentiality
Integrity
Availability
Technical Impact: Execute unauthorized code or
commands
Potential Mitigations
Phase: Implementation
Utilize an appropriate mix of white-list and black-list parsing to
filter server-side include syntax from all input.
This can be resultant from XSS/HTML injection because the same special
characters can be involved. However, this is server-side code execution, not
client-side.
Failure to Sanitize
Server-Side Includes (SSI) Within a Web Page
More information is available — Please select a different filter.
Page Last Updated:
January 18, 2017
Use of the Common Weakness Enumeration and the associated references from this website are subject to the
Terms of Use. For more information, please email
[email protected].