Things to Know about SSIs
- They cause an extra load on your server
- Each document sent with an ssi will need a special lookup
- These documents can be "singled out" with an .shtml extension
- Your webmaster (if not you) will need to get involved
- A config file indicates the use of these, by default it is disabled,
for NCSA httpd modify srm.conf:
# ScriptAliased directories AddType text/x-server-parsed-html .shtml (or .html) AddType application/x-httpd-cgi .cgi
- Within the
that you wish to have includes you will add
Includes or IncludesNOEXEC
How to create SSIs
- Although these look like comments - the # differentiates it.
- You can present information:
<!--#echo var="DATE_LOCAL"--> <!--#echo var="LAST_MODIFIED"--> <!--#include file="owner.txt"-->
- You can execute scripts (although this is the most "insecure" part of SSIs)
- filename.cgi is a script that performs some function, it must reside in a designated cgi-bin directory (see webmaster for where that is)
Security Issues with SSIs
- The exec form of SSIs are a major security hole - process is running as user that runs the web - in most cases root.
- For NCSA httpd, you can disable them by placing the statement
Options IncludesNoExecin access.conf under the directory control area.
- Don't allow users to have areas where execs can run.