Security Basics mailing list archives
RE: #include file tag in HTML: possible issues?
From: "Giuseppe DELL'ERBA" <giuseppe.dellerba () st com>
Date: Mon, 16 Jan 2006 11:46:09 +0100
More details for your feedbacks: the application creates HTML pages, on URL basis, using templates. The content aggregation logic is based on JSP. The application will retrieve these templates and, using TAGLIB technology, will substitute the TAGLIB with the dynamic content and metadata. The idea is to add the #include file tag in the new templates. The contents and the templates come from company internal resources. Thanks Peppe -----Original Message----- From: pg_vlad () hotmail com [mailto:pg_vlad () hotmail com] Sent: Friday, January 13, 2006 10:27 PM To: security-basics () securityfocus com Subject: Re: #include file tag in HTML: possible issues? This doesn't sound like a good practice from any standpoint. What language are we talking about here? Interpreted, or compiled? I think the chances of a malicious #include insertion could be lessened in a compiled application, it would be possible to do so from an interpreted application as well, though I personally would avoid this type behaviour at all costs. I think the time needed to redeploy the new #include would offset a malicious use of it and then trying to play cleanup. --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------- --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ----------------------------------------------------------------------------
Current thread:
- #include file tag in HTML: possible issues? Giuseppe DELL'ERBA (Jan 13)
- Re: #include file tag in HTML: possible issues? Brad Spangler (Jan 16)
- Smartcardlogon with MS 2003 NATIVE dav () forststrasse27 de (Jan 17)
- Re: Smartcardlogon with MS 2003 NATIVE - Information about Smartcards dav () forststrasse27 de (Jan 23)
- Smartcardlogon with MS 2003 NATIVE dav () forststrasse27 de (Jan 17)
- <Possible follow-ups>
- Re: #include file tag in HTML: possible issues? pg_vlad (Jan 13)
- RE: #include file tag in HTML: possible issues? Giuseppe DELL'ERBA (Jan 16)
- RE: #include file tag in HTML: possible issues? Giuseppe DELL'ERBA (Jan 20)
- Re: #include file tag in HTML: possible issues? Andrew Peters (Jan 23)
- Re: #include file tag in HTML: possible issues? Brad Spangler (Jan 16)