https://issues.apache.org/bugzilla/show_bug.cgi?id=57325
--- Comment #2 from Mahmoud El Manzalawy <is4cur...@gmail.com> --- hello guys mahmoud on mic : ) Server Side Includes ~ SSI~Injection First Web Server/Host must support "Server Side Includes" . http://httpd.apache.org/docs/current/mod/mod_include.html the bug from Check input in this code http://im76.gulfup.com/HxiDCr.png whene you open ssii file and write first name and last name will redirct to SHTML. ssi and print my first name and ip http://im76.gulfup.com/8wIXzh.png http://im76.gulfup.com/PcyQrj.png ok let me change first name and last name to command by Brup suite http://im76.gulfup.com/z4IoDu.png and use this command <!--#exec cmd="cat /etc/passwd" --> <!--#echo var="DOCUMENT_NAME" --> http://im76.gulfup.com/N0ec8K.png result bypass security and read etc/passwd http://im76.gulfup.com/3rBVGT.png Sorry about my bad english hope you guys can understand:-) :D -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: rivet-dev-unsubscr...@tcl.apache.org For additional commands, e-mail: rivet-dev-h...@tcl.apache.org
