Improper Neutralization of Server-Side Includes (SSI) Within a Web Page

Draft Variant

Structure: Simple

Description

The product generates a web page, but does not neutralize or incorrectly neutralizes user-controllable input that could be interpreted as a server-side include (SSI) directive.

Common Consequences 1

Scope: ConfidentialityIntegrityAvailability

Impact: Execute Unauthorized Code or Commands

Applicable Platforms

Languages:

Not Language-Specific : Undetermined

Modes of Introduction

Implementation

Related Attack Patterns

35
Path Traversal: '.../...//'
101
DEPRECATED: Struts Validation Problems

Related Weaknesses

ChildOf:

Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') (CWE-96)

Taxonomy Mapping

PLOVER
WASC

Notes

RelationshipThis can be resultant from XSS/HTML injection because the same special characters can be involved. However, this is server-side code execution, not client-side.