The Security of Server-Side Includes

Great danger to security is posed by “server-side includes” (SSI). These are code statements in HTML documents, often written with PHP, that give instructions to the Web server. Some of these instructions can tell the Web server to execute system commands and CGI scripts. Because programmers are usually unaware of the security risks, and therefore do not write their code accordingly, Web Masters should keep a sharp eye on them.

Server-side includes are snippets of code that not only simplify Web site maintenance but can also make Web site pages interactive. This and their simplicity to implement make them attractive to Web programmers, but the risks of using them must be understood and avoided.

Using server-side includes to display environment variables and file statistics (“#echo var=”) poses no security risk; likewise, using the “#include” function, provided that the directory containing the included file is not Web-accessible.

Security problems can arise when using server-side includes to execute programs on the Web server, specifically when using the “#exec” function. A hacker may then be able to run commands to access and steal data, corrupt or even delete files.

It is safest to disable the “#exec” directive on the Web server, or at least limit its use to only trusted users. Needless to say, it should be used only where absolutely necessary.

If having to run a program with server-side includes is unavoidable, it is safer to use the “virtual=” parameter with the “#include” directive than to use the “#exec” directive. The “virtual=” parameter specifies the target relative to the Web server root directory rather than to the directory of the current file. Thus, program files can be kept out of the way of the Web-accessible files. As an example:


would call a menu program from the (protected) cgi-bin directory, regardless of the location of the file containing the “#include” code.

NCSA and Apache are two Web servers where server-side includes that can execute arbitrary commands can be disabled by the Web Master.

On an Apache server the line:

Options IncludesNOEXEC

in the ‘httpd.conf’ file disables the “#exec” directive completely.

The equivalent on an NCSA server is:

Options IncludesNoExec

in the ‘srm.conf’ file.

On a WN server, which puts security before all else, the “#exec” directive is disabled by default, but can be specifically enabled.

On a CERN server server-side includes are not supported, but can be implemented by means of a Perl program called ‘’, which emulates server-side includes functionality.

Leave a comment

Your email address will not be published. Required fields are marked *