Security Basics mailing list archives
Re: #include file tag in HTML: possible issues?
From: Brad Spangler <brad_spangler () yahoo com>
Date: Fri, 13 Jan 2006 20:16:48 -0600
That include tag is a server side include (SSI) directive used to indicate to Apache (or similar web servers) that it should merge in some content from another file -- typically either plain text or HTML formatted text. I would be fascinated if I found out otherwise, but to the best of my understanding everything should be kosher as long as we're talking about static text files. That is to say, the files or the include directive typically won't add any potential security issues all by themselves. Your SHTML file (that's the extension commonly tacked on to HTML files with SSI directives) should be as safe as any plain HTML file. HOWEVER -- more problematic than a simple include of a static file are some of the other SSI directives, such as "exec". Fortunately, Apache (version 2 anyway -- maybe or maybe not on earlier versions, I'm not sure) offers the ability to disable "exec" while still using "include". On Friday 13 January 2006 09:20 am, Giuseppe DELL'ERBA wrote:
Hi all, I have to evaluate from security point of view an application that is going to add in its template pages the #include file tag. This will allow a section of code to be inserted in the page, and the code that is inserted may be stored in an external file. Do you think this feature can introduce possible security threats? And, eventually, the remediation needed? Thanks Peppe --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus --------------------------------------------------------------------------- -
-- Brad Spangler http://bradspangler.com/blog/ -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.2.7 (GNU/Linux) mQGiBEO91xoRBACQpqShfC/UChKIvHvH9SCmTMjUlFTBXyusOwWTDBvVdWK53q+e HfoGQYPb864OcukL3ABgfJuOvXi3I2qlEZ+Dm8dCZt4ucfFJ8YdrnG4UY1tb4ULT /DlGbPsTIyEa8h1qpXeo6KCYbYD1nBBn5uaol3dqySa3M8d1EbnvoWxiRwCgtUH8 eCT4YYA0hmSL2zdDBZudU7UD+QFFBTGb0pyX3BbsYsLyVfNJ7Z/U/Uel0bieXj4M mbEzxCt6oVR9pjYaJvt2AF4/3i/1oHAyXOjWyPKR+PJLme0T0DBleAXK31UJM4SB rnL5i7DnOKbCtlSbF1wkHhvk4rmtcHvaYb9mjLGMP+rhmCFSIx3CVtHu1vlJVahE jzc9A/4oKudEyTj7nwm02cXJtU1cLS3Shra0ufFstPdJDSobRzKFVE8Lgi36p7Th w2EslFwyzjGtfddSNhX4a4xMfZcCpx4HGf7lopPROMXElnvOkdu5nCQbg/ZxAGa4 I0x8Sfh85U2UAsUwu8ZfHTn2APKvZJbtkcfbEQnzYwwHTniRJbQnQnJhZCBTcGFu Z2xlciA8YnJhZF9zcGFuZ2xlckB5YWhvby5jb20+iGEEExECACEFAkO91xsFCQDt TgAGCwkIBwMCAxUCAwMWAgECHgECF4AACgkQqV7Zasr5NrOv9wCfWC50T3Juc4hy iuvTltD4n51kIxIAnjAUlQB1tgxzaf4f8D4BbkOaOpyN0cOCw4ABEAABAQAAAAAA AAAAAAAAAP/Y/+AAEEpGSUYAAQEBAEgASAAA/+EAFkV4aWYAAE1NACoAAAAIAAAA AAAA/9sAQwAGBAUGBQQGBgUGBwcGCAoQCgoJCQoUDg8MEBcUGBgXFBYWGh0lHxob IxwWFiAsICMmJykqKRkfLTAtKDAlKCko/8AACwgAQwA8AQERAP/EABwAAAICAwEB AAAAAAAAAAAAAAYHBAUBAgMACP/EADIQAAIBAwMCBAQFBAMAAAAAAAECAwAEEQUS IQYxQVFhcQcTIpEUFiOBoRUyguFCUsH/2gAIAQEAAD8APcUB/EHqG9tpP6XoqsLp l3STDug9PL3pR3GiX13K7XMhdzyWJJJPqTWfymJYMHh/Oq6WHqPpmQXmn3kjQx91 zkY8iviKYXSPXdl1IogkUWuoAcws2Q/qp8fbvRBceNQXB3U1WZUjZ3OFUZJ8hQZ1 RB+EPzJEC3N2qzOf+qEfQv7D+SaFzCvfzrPyAR5VDvbcPE6MMqwIOfKkdeLNpOss YWMcsEu5CPDB4r6B0XUBq2iWd8oA+dEGIB7HxH3rdx9VM+VRJA6eDjb9+KrfidFv u0dFASNRH9uBQEVJ4FbCFgpPjUS74G1uKUfW1gV1SRiMMw3DjvTP+H0Qi6L0wA53 Rl/uxq6Yc0y+8be1CPxE6rU3ssKQj5KnO4nBPHJxQgmrCS1aeJePvj1qo1DU7mGS UiWVxGu5gDgY9BWqX1xNbK4jcmQApvGAf38Kquq9MlvFgcyBNpCsVXnaTRd03BDZ 2ht7Y/pIFCc54H+6sWbmmVgSQumcBlK5FC3xV0yxggZol/WvQskmfIKAMH3z96HI 9Fjsej7GXALTtIDgeHHH80PzWAmZJAxyvHvU2NGnREdv007DtUS/A2sp5GKk9ORm JLkk5DHcADwufAVYu/1GmbE/FUvXFo2pWtpMMn8OhQ48gcihu9vJPyvYr+FdYoGk 3SMeJGZuCPYDH7UM282+Vhs2HxGe/tUsAAblNVmqPgsfIV007XdMW02fioo51+mV XbDbh/5Xm13TyeLyE/5U345OKxeXcMVnMlxJHGJV+WhdgMuewHqaXXWWtTtbvb2N hJPbwMqs+doQBcYAPfnNC9lqN7O536aqr2DF8GrQXOFYMNpx2zVLqd0HbYO+KXmt zGz125IXcHCkjPpUI6mfBCP8qfut/Ea1tUnTS0WdoSFaaQ4QH0Hc/wAUl+p+qdV6 q1aJri4fajAQRr9Kpz3AHj45pg9N9Q22v2c9vJOY7+L+9W7TAcbx7+I9a6wp8rez y5GftVVqN+EcohyR3PlUa33MTcXBwg558aX+sXYvtTnnH9rNhfYcVCq1uZpGtCC5 w5O717mo+kAfOuG/5JA5U+Rx/uuelTSQajbyQuyOHGCDR3dzy8D5jc+taaciySku N2B41w6rmkj0tlRyoJ2nHlQLXq//2YhkBBMRAgAkBQJDvdfKAhsDBQkA7U4ABgsJ CAcDAgMVAgMDFgIBAh4BAheAAAoJEKle2WrK+Taz9JIAniOgIyd88EkEAl56VQg+ SttHjA8pAJ9TRtZ88hEnn+hWftoMwnB0P08GRbkBDQRDvdchEAQAz3888b1Z1KjJ 6rxi7Qu+AxIHtrQHB+8HdLU3j/mT1p7UqQeHg0X5uX5h1vwhENXTK8IO1rOPgqGh fz0cPoTyloKtaLK8NiLxmRmyvCe+OQirJMrkbdPlhVdmeUSMmvTdPeu0r71THo1Y 1wDKwjHU9SdiU3+uAXbF/QP6xqCHZUsAAwUEALcHrRWVLJ1AR8jaI6EVEDcaRvzW Avvk6z1DQJu3euPMONAOL7XGOAG1AS0rEw+3H1vlL2y5VTP/FgxfVYuNOAaDoVPk 8lkB63x/Bi+9PDvWgAjmRi9vI5R7WGt1OGGa+JVl9iiSZfLrTlVpzmxj7Vdio99t BBKMUeI4Wd9j1Y4/iEwEGBECAAwFAkO91yEFCQDtTgAACgkQqV7Zasr5NrOZ+QCe PRIjzOPZ5fTo9HEdhs7+rTTE0psAn1jkdIMpJqvg472u9EvYPKiGBRmC =7I1S -----END PGP PUBLIC KEY BLOCK----- --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ----------------------------------------------------------------------------
Current thread:
- #include file tag in HTML: possible issues? Giuseppe DELL'ERBA (Jan 13)
- Re: #include file tag in HTML: possible issues? Brad Spangler (Jan 16)
- Smartcardlogon with MS 2003 NATIVE dav () forststrasse27 de (Jan 17)
- Re: Smartcardlogon with MS 2003 NATIVE - Information about Smartcards dav () forststrasse27 de (Jan 23)
- Smartcardlogon with MS 2003 NATIVE dav () forststrasse27 de (Jan 17)
- <Possible follow-ups>
- Re: #include file tag in HTML: possible issues? pg_vlad (Jan 13)
- RE: #include file tag in HTML: possible issues? Giuseppe DELL'ERBA (Jan 16)
- RE: #include file tag in HTML: possible issues? Giuseppe DELL'ERBA (Jan 20)
- Re: #include file tag in HTML: possible issues? Andrew Peters (Jan 23)
- Re: #include file tag in HTML: possible issues? Brad Spangler (Jan 16)