Craftaholique

Embracing The Handmade Life | UK Craft Blog

view shtml patched

View Shtml Patched -

An unpatched view.shtml script often suffered from improper input sanitization. An attacker could manipulate the URL query string to inject malicious SSI directives.

Example of a vulnerable URL:

https://example.com/view.shtml?page=footer

In a secure environment, this would load footer.shtml. In a vulnerable one, an attacker might try: view shtml patched

https://example.com/view.shtml?page=<!--#exec cmd="ls" -->

Or, more commonly, a path traversal combined with SSI injection:

https://example.com/view.shtml?page=../../../../etc/passwd<!--#exec cmd="id" -->

If the server was configured to allow the #exec directive (which executes system commands), the attacker could: An unpatched view

<!--/*
    File: view.shtml
    Status: PATCHED
    Description: Securely displays server-side environment variables 
                 or specific file contents. 
                 Note: The 'virtual' or 'file' attribute in SSI is 
                 restricted by server configuration (httpd.conf).
*/-->
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Server Information - Secure View</title>
    <style>
        body  font-family: monospace; background-color: #f4f4f4; padding: 20px; 
        .container  background: #fff; padding: 20px; border: 1px solid #ddd; border-radius: 5px; 
        h1  color: #333; 
        pre  background: #eee; padding: 10px; border: 1px solid #ccc; overflow-x: auto; 
        .warning  color: red; font-weight: bold; 
    </style>
</head>
<body>
<div class="container">
    <h1>Secure Server View</h1>
<!-- PATCHED: The following SSI directives are safe. 
         They do not accept user input directly and only display 
         static server variables or hardcoded files. -->
<h3>Server Environment:</h3>
    <pre>
<!--#echo var="SERVER_NAME" -->
<!--#echo var="SERVER_SOFTWARE" -->
<!--#echo var="DATE_LOCAL" -->
    </pre>
<h3>File Modification Date (Safe Usage):</h3>
    <p>This document was last modified on: <strong><!--#flastmod file="view.shtml" --></strong></p>
<!-- SECURITY NOTE:
         Previous vulnerable versions might have looked like:
         <!--#include virtual="<!--#echo var='QUERY_STRING' -->" -->
         This allowed attackers to pass paths via the URL (e.g., ?/etc/passwd).
         This patched version REMOVES dynamic includes entirely.
    -->
<div class="warning">
        Note: Dynamic file inclusion via URL parameters has been disabled by the administrator.
    </div>
</div>
</body>
</html>

Replace view.shtml with a simple PHP router that uses realpath():

$base = '/var/www/includes/';
$file = realpath($base . $_GET['page'] . '.html');
if (strpos($file, $base) === 0 && file_exists($file)) 
    readfile($file);
 else 
    http_response_code(404);

Historical patches often addressed only one attack vector, leaving others open. For example: In a secure environment, this would load footer

Thus, finding a system described as "view shtml patched" requires verifying what specific patch was applied and against which CVE or behavior.

Before (vulnerable):

Options +Includes
AddType text/html .shtml

After (patched):

Options +IncludesNOEXEC   # Disable exec/cgi
<FilesMatch "\.shtml$">
    SSILegacyExprParser Off
</FilesMatch>