How to Disable #exec in Server-Side Include Files
ID: Q195291
|
The information in this article applies to:
-
Microsoft Internet Information Server version 4.0
SUMMARY
For security reasons, Web administrators may want to disable the #exec
function of Server Side Include (SSI) files.
MORE INFORMATION
IMPORTANT: This article contains information about editing the Microsoft
Internet Information Server (IIS) metabase. Before you edit the metabase,
make sure you understand how to restore it if a problem occurs. For
information about how to do this, view the "Configuration Backup/Restore"
Help topic in the Internet Information Server snap-in for the Microsoft
Management Console (MMC).
Internet Information Server (IIS) versions 3.0 and later allow command-
line or CGI programs to be executed, and their text output to be returned
as Web output. This is accomplished through the use of Server-Side Include
(SSI) commands. An example of this type of command is as follows:
<html>
<html><title>SSI #exec Test</title></head>
<body>
<pre>
<!--#exec cmd="cmd.exe /c dir"-->
</pre>
</body>
</html>
This functionality is enabled by default for the entire Web server. Web
administrators may want to disable this feature. This is accomplished by
performing the following steps:
- On an IIS 4.0 computer with the Windows Script Host (WSH) installed,
go to the following directory:
<%SystemRoot%>\System32\Inetsrv\adminsamples
- To disable #exec for the entire Web server use the following:
cscript adsutil.vbs set w3svc/SSIExecDisable 1
-OR-
For a specific virtual directory, you can use the following:
cscript adsutil.vbs set w3svc/xx/root/vv/SSIExecDisable 1
Where:
xx = the instance of the web server
vv = the virtual directory name
NOTE: This will not effect the #include command.
Additional query words:
iis ssi
Keywords :
Version : winnt:4.0
Platform : winnt
Issue type : kbhowto