Security Basics mailing list archives

Re: #include file tag in HTML: possible issues?

From: "Andrew Peters" <andrew_peters2000 () hotmail com>
Date: Sat, 21 Jan 2006 08:46:01 -0000

Hi,

I have been using #include tags (more specifically #include_once) for years
in php applications and sites.

I have never found any security issues with them. In some cases they can
solve security issues.

You have to remember that the as far as the html output is concerned, the
#include tag is replaced with whatever code is in the linked file (if you
use #include 'header.html'; then the html from header.html is put directly
into the calling file). This means that you must make sure that header.html
is in a secure location. If it is in the same directory, or somewhere within
your website (internal) then there is no more risk than there is to any
other file on the site.

within sites I code I use a variable $rootPath = "../"; (or simail paths)
and use this with all includes: #include $rootPath . 'header.html'; so that
it is still dynamically linked, but has a more secure path.

Problems would occur if you tried to use something similar to: #include
'http://www.externalsite.net/file.html&apos;; Unless you could be sure of the
security of the file in that location it would be very unwise (an attacker
gains access to the remote location, and edits your include file).

In terms of helping with security I often use includes for config files
(normally related to mysql db access). If you put the config file outside of
the normal web path then it keeps it hidden from anyone with ftp access to
the site. This has several benefits.

From a security evealuation point of view the risk is that someone edits the

code in the included file. To reduce this risk you keep the included file in
the same location as other website files (even the same directory) thereby
making it no more of a security problem than the rest of the code. If the
file needs to be external then you have to make sure that the external
location is secure.

Hope this helps.

A.Peters


----- Original Message ----- 
From: "Giuseppe DELL'ERBA" <giuseppe.dellerba () st com>
To: <security-basics () securityfocus com>
Sent: Friday, January 20, 2006 4:04 PM
Subject: RE: #include file tag in HTML: possible issues?


..any additional feedbacks about the request below?
Thanks
Peppe

-----Original Message-----
From: giuseppe dellerba [mailto:giuseppe.dellerba () st com]
Sent: Monday, January 16, 2006 11:46 AM
To: 'security-basics () securityfocus com'
Subject: RE: #include file tag in HTML: possible issues?


More details for your feedbacks: the application creates HTML pages, on URL
basis, using templates. The content aggregation logic is based on JSP. The
application will retrieve these templates and, using TAGLIB technology, will
substitute the TAGLIB with the dynamic content and metadata. The idea is to
add the #include file tag in the new templates. The contents and the
templates come from company internal resources.

Thanks
Peppe

-------------------
First message:
Hi all,

I have to evaluate from security point of view an application that is going
to add in its template pages the #include file tag.
This will allow a section of code to be inserted in the page, and the code
that is inserted may be stored in an external file.

Do you think this feature can introduce possible security threats? And,
eventually, the remediation needed?

Thanks
Peppe

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,

Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------------



---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------


---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------

Current thread:

#include file tag in HTML: possible issues? Giuseppe DELL'ERBA (Jan 13)
- Re: #include file tag in HTML: possible issues? Brad Spangler (Jan 16)
  - Smartcardlogon with MS 2003 NATIVE dav () forststrasse27 de (Jan 17)
    - Re: Smartcardlogon with MS 2003 NATIVE - Information about Smartcards dav () forststrasse27 de (Jan 23)
- <Possible follow-ups>
- Re: #include file tag in HTML: possible issues? pg_vlad (Jan 13)
  - RE: #include file tag in HTML: possible issues? Giuseppe DELL'ERBA (Jan 16)
- RE: #include file tag in HTML: possible issues? Giuseppe DELL'ERBA (Jan 20)
  - Re: #include file tag in HTML: possible issues? Andrew Peters (Jan 23)