Security Basics mailing list archives
Re: #include file tag in HTML: possible issues?
From: "Andrew Peters" <andrew_peters2000 () hotmail com>
Date: Sat, 21 Jan 2006 08:46:01 -0000
Hi, I have been using #include tags (more specifically #include_once) for years in php applications and sites. I have never found any security issues with them. In some cases they can solve security issues. You have to remember that the as far as the html output is concerned, the #include tag is replaced with whatever code is in the linked file (if you use #include 'header.html'; then the html from header.html is put directly into the calling file). This means that you must make sure that header.html is in a secure location. If it is in the same directory, or somewhere within your website (internal) then there is no more risk than there is to any other file on the site. within sites I code I use a variable $rootPath = "../"; (or simail paths) and use this with all includes: #include $rootPath . 'header.html'; so that it is still dynamically linked, but has a more secure path. Problems would occur if you tried to use something similar to: #include 'http://www.externalsite.net/file.html'; Unless you could be sure of the security of the file in that location it would be very unwise (an attacker gains access to the remote location, and edits your include file). In terms of helping with security I often use includes for config files (normally related to mysql db access). If you put the config file outside of the normal web path then it keeps it hidden from anyone with ftp access to the site. This has several benefits.
From a security evealuation point of view the risk is that someone edits the
code in the included file. To reduce this risk you keep the included file in the same location as other website files (even the same directory) thereby making it no more of a security problem than the rest of the code. If the file needs to be external then you have to make sure that the external location is secure. Hope this helps. A.Peters ----- Original Message ----- From: "Giuseppe DELL'ERBA" <giuseppe.dellerba () st com> To: <security-basics () securityfocus com> Sent: Friday, January 20, 2006 4:04 PM Subject: RE: #include file tag in HTML: possible issues? ..any additional feedbacks about the request below? Thanks Peppe -----Original Message----- From: giuseppe dellerba [mailto:giuseppe.dellerba () st com] Sent: Monday, January 16, 2006 11:46 AM To: 'security-basics () securityfocus com' Subject: RE: #include file tag in HTML: possible issues? More details for your feedbacks: the application creates HTML pages, on URL basis, using templates. The content aggregation logic is based on JSP. The application will retrieve these templates and, using TAGLIB technology, will substitute the TAGLIB with the dynamic content and metadata. The idea is to add the #include file tag in the new templates. The contents and the templates come from company internal resources. Thanks Peppe ------------------- First message: Hi all, I have to evaluate from security point of view an application that is going to add in its template pages the #include file tag. This will allow a section of code to be inserted in the page, and the code that is inserted may be stored in an external file. Do you think this feature can introduce possible security threats? And, eventually, the remediation needed? Thanks Peppe --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------- --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus --------------------------------------------------------------------------- --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- #include file tag in HTML: possible issues? Giuseppe DELL'ERBA (Jan 13)
- Re: #include file tag in HTML: possible issues? Brad Spangler (Jan 16)
- Smartcardlogon with MS 2003 NATIVE dav () forststrasse27 de (Jan 17)
- Re: Smartcardlogon with MS 2003 NATIVE - Information about Smartcards dav () forststrasse27 de (Jan 23)
- Smartcardlogon with MS 2003 NATIVE dav () forststrasse27 de (Jan 17)
- <Possible follow-ups>
- Re: #include file tag in HTML: possible issues? pg_vlad (Jan 13)
- RE: #include file tag in HTML: possible issues? Giuseppe DELL'ERBA (Jan 16)
- RE: #include file tag in HTML: possible issues? Giuseppe DELL'ERBA (Jan 20)
- Re: #include file tag in HTML: possible issues? Andrew Peters (Jan 23)
- Re: #include file tag in HTML: possible issues? Brad Spangler (Jan 16)