[jira] [Commented] (SLING-9767) Insecure Recommendation in Dynamic Include Documentation

[Jira]

    [ 
https://issues.apache.org/jira/browse/SLING-9767?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17202119#comment-17202119
 ] 

Tomasz Niedźwiedź commented on SLING-9767:
------------------------------------------

[~rombert] depending on the modules installed and the kind of content that gets 
rendered on the given Sling site (UGC anyone?), an attempt to run a command 
using {{<!--#exec -->}} could fail entirely or become a viable attack vector. 
The original instructions I copied to the Sling site were meant as a quick 
getting-started guide and each actual Apache setup should be reviewed prior to 
being made public, with a round of penetration tests to cover such scenarios.

That said, I can see how it is quite likely for the example code to be copied 
verbatim and placed in a configuration where it introduces a serious 
vulnerability. Using the {{IncludesNOEXEC}} option by default seems like a good 
idea and I don't think it could otherwise impact the way SDI works. A few words 
of warning could be provided too, so that users are more aware of the potential 
risks and the extra testing they might want to do.

[~chaotic] would you like to contribute an improvement to the docs?

> Insecure Recommendation in Dynamic Include Documentation
> --------------------------------------------------------
>
>                 Key: SLING-9767
>                 URL: https://issues.apache.org/jira/browse/SLING-9767
>             Project: Sling
>          Issue Type: Improvement
>          Components: Documentation
>    Affects Versions: Dynamic Include 3.2.0
>            Reporter: Lars Krapf
>            Priority: Major
>
> The [documentation for the Sling Dynamic 
> Includes|https://sling.apache.org/documentation/bundles/dynamic-includes.html#enabling-ssi-in-apache-with-the-aem-dispatcher-module]
>  mentions the following:
> bq. Having added the SetOutputFilter directive, open the virtual host's 
> configuration and add the Includes option to the Options directive:
> This is an extremely unsafe recommendation. The "Includes" option will allow 
> anyone who can change content on the backend (e.g. AEM) to run arbitrary 
> commands on the webserver (dispatcher), by injecting the {{<!--#exec-->}} 
> directive.
> The recommendation should be to use the "IncludesNOEXEC" option instead, 
> which will only allow to include static content (with a "safe" mime-type such 
> as HTML or plain-text). 
> See also: http://httpd.apache.org/docs/current/mod/mod_include.html



--
This message was sent by Atlassian Jira
(v8.3.4#803005)