Re: #include file tag in HTML: possible issues?

[Brad Spangler <brad_spangler () yahoo com>]

That include tag is a server side include (SSI) directive used to indicate to 
Apache (or similar web servers) that it should merge in some content from 
another file -- typically either plain text or HTML formatted text.

I would be fascinated if I found out otherwise, but to the best of my 
understanding everything should be kosher as long as we're talking about 
static text files. That is to say, the files or the include directive 
typically won't add any potential security issues all by themselves. Your 
SHTML file (that's the extension commonly tacked on to HTML files with SSI 
directives) should be as safe as any plain HTML file.

HOWEVER -- more problematic than a simple include of a static file are some of 
the other SSI directives, such as "exec". Fortunately, Apache (version 2 
anyway -- maybe or maybe not on earlier versions, I'm not sure) offers the 
ability to disable "exec" while still using "include". 



On Friday 13 January 2006 09:20 am, Giuseppe DELL'ERBA wrote:
> Hi all,
>
> I have to evaluate from security point of view an application that is going
> to add in its template pages the #include file tag. This will allow a
> section of code to be inserted in the page, and the code that is inserted
> may be stored in an external file.
>
> Do you think this feature can introduce possible security threats? And,
> eventually, the remediation needed?
>
> Thanks
> Peppe
>
>
> ---------------------------------------------------------------------------
> EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
> The Norwich University program offers unparalleled Infosec management
> education and the case study affords you unmatched consulting experience.
> Tailor your education to your own professional goals with degree
> customizations including Emergency Management, Business Continuity
> Planning, Computer Emergency Response Teams, and Digital Investigations.
>
> http://www.msia.norwich.edu/secfocus
> ---------------------------------------------------------------------------
> -

-- 
Brad Spangler
http://bradspangler.com/blog/

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.2.7 (GNU/Linux)

mQGiBEO91xoRBACQpqShfC/UChKIvHvH9SCmTMjUlFTBXyusOwWTDBvVdWK53q+e
HfoGQYPb864OcukL3ABgfJuOvXi3I2qlEZ+Dm8dCZt4ucfFJ8YdrnG4UY1tb4ULT
/DlGbPsTIyEa8h1qpXeo6KCYbYD1nBBn5uaol3dqySa3M8d1EbnvoWxiRwCgtUH8
eCT4YYA0hmSL2zdDBZudU7UD+QFFBTGb0pyX3BbsYsLyVfNJ7Z/U/Uel0bieXj4M
mbEzxCt6oVR9pjYaJvt2AF4/3i/1oHAyXOjWyPKR+PJLme0T0DBleAXK31UJM4SB
rnL5i7DnOKbCtlSbF1wkHhvk4rmtcHvaYb9mjLGMP+rhmCFSIx3CVtHu1vlJVahE
jzc9A/4oKudEyTj7nwm02cXJtU1cLS3Shra0ufFstPdJDSobRzKFVE8Lgi36p7Th
w2EslFwyzjGtfddSNhX4a4xMfZcCpx4HGf7lopPROMXElnvOkdu5nCQbg/ZxAGa4
I0x8Sfh85U2UAsUwu8ZfHTn2APKvZJbtkcfbEQnzYwwHTniRJbQnQnJhZCBTcGFu
Z2xlciA8YnJhZF9zcGFuZ2xlckB5YWhvby5jb20+iGEEExECACEFAkO91xsFCQDt
TgAGCwkIBwMCAxUCAwMWAgECHgECF4AACgkQqV7Zasr5NrOv9wCfWC50T3Juc4hy
iuvTltD4n51kIxIAnjAUlQB1tgxzaf4f8D4BbkOaOpyN0cOCw4ABEAABAQAAAAAA
AAAAAAAAAP/Y/+AAEEpGSUYAAQEBAEgASAAA/+EAFkV4aWYAAE1NACoAAAAIAAAA
AAAA/9sAQwAGBAUGBQQGBgUGBwcGCAoQCgoJCQoUDg8MEBcUGBgXFBYWGh0lHxob
IxwWFiAsICMmJykqKRkfLTAtKDAlKCko/8AACwgAQwA8AQERAP/EABwAAAICAwEB
AAAAAAAAAAAAAAYHBAUBAgMACP/EADIQAAIBAwMCBAQFBAMAAAAAAAECAwAEEQUS
IQYxQVFhcQcTIpEUFiOBoRUyguFCUsH/2gAIAQEAAD8APcUB/EHqG9tpP6XoqsLp
l3STDug9PL3pR3GiX13K7XMhdzyWJJJPqTWfymJYMHh/Oq6WHqPpmQXmn3kjQx91
zkY8iviKYXSPXdl1IogkUWuoAcws2Q/qp8fbvRBceNQXB3U1WZUjZ3OFUZJ8hQZ1
RB+EPzJEC3N2qzOf+qEfQv7D+SaFzCvfzrPyAR5VDvbcPE6MMqwIOfKkdeLNpOss
YWMcsEu5CPDB4r6B0XUBq2iWd8oA+dEGIB7HxH3rdx9VM+VRJA6eDjb9+KrfidFv
u0dFASNRH9uBQEVJ4FbCFgpPjUS74G1uKUfW1gV1SRiMMw3DjvTP+H0Qi6L0wA53
Rl/uxq6Yc0y+8be1CPxE6rU3ssKQj5KnO4nBPHJxQgmrCS1aeJePvj1qo1DU7mGS
UiWVxGu5gDgY9BWqX1xNbK4jcmQApvGAf38Kquq9MlvFgcyBNpCsVXnaTRd03BDZ
2ht7Y/pIFCc54H+6sWbmmVgSQumcBlK5FC3xV0yxggZol/WvQskmfIKAMH3z96HI
9Fjsej7GXALTtIDgeHHH80PzWAmZJAxyvHvU2NGnREdv007DtUS/A2sp5GKk9ORm
JLkk5DHcADwufAVYu/1GmbE/FUvXFo2pWtpMMn8OhQ48gcihu9vJPyvYr+FdYoGk
3SMeJGZuCPYDH7UM282+Vhs2HxGe/tUsAAblNVmqPgsfIV007XdMW02fioo51+mV
XbDbh/5Xm13TyeLyE/5U345OKxeXcMVnMlxJHGJV+WhdgMuewHqaXXWWtTtbvb2N
hJPbwMqs+doQBcYAPfnNC9lqN7O536aqr2DF8GrQXOFYMNpx2zVLqd0HbYO+KXmt
zGz125IXcHCkjPpUI6mfBCP8qfut/Ea1tUnTS0WdoSFaaQ4QH0Hc/wAUl+p+qdV6
q1aJri4fajAQRr9Kpz3AHj45pg9N9Q22v2c9vJOY7+L+9W7TAcbx7+I9a6wp8rez
y5GftVVqN+EcohyR3PlUa33MTcXBwg558aX+sXYvtTnnH9rNhfYcVCq1uZpGtCC5
w5O717mo+kAfOuG/5JA5U+Rx/uuelTSQajbyQuyOHGCDR3dzy8D5jc+taaciySku
N2B41w6rmkj0tlRyoJ2nHlQLXq//2YhkBBMRAgAkBQJDvdfKAhsDBQkA7U4ABgsJ
CAcDAgMVAgMDFgIBAh4BAheAAAoJEKle2WrK+Taz9JIAniOgIyd88EkEAl56VQg+
SttHjA8pAJ9TRtZ88hEnn+hWftoMwnB0P08GRbkBDQRDvdchEAQAz3888b1Z1KjJ
6rxi7Qu+AxIHtrQHB+8HdLU3j/mT1p7UqQeHg0X5uX5h1vwhENXTK8IO1rOPgqGh
fz0cPoTyloKtaLK8NiLxmRmyvCe+OQirJMrkbdPlhVdmeUSMmvTdPeu0r71THo1Y
1wDKwjHU9SdiU3+uAXbF/QP6xqCHZUsAAwUEALcHrRWVLJ1AR8jaI6EVEDcaRvzW
Avvk6z1DQJu3euPMONAOL7XGOAG1AS0rEw+3H1vlL2y5VTP/FgxfVYuNOAaDoVPk
8lkB63x/Bi+9PDvWgAjmRi9vI5R7WGt1OGGa+JVl9iiSZfLrTlVpzmxj7Vdio99t
BBKMUeI4Wd9j1Y4/iEwEGBECAAwFAkO91yEFCQDtTgAACgkQqV7Zasr5NrOZ+QCe
PRIjzOPZ5fTo9HEdhs7+rTTE0psAn1jkdIMpJqvg472u9EvYPKiGBRmC
=7I1S
-----END PGP PUBLIC KEY BLOCK-----

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------------