[thelist] What to watch for when you allow external text to be included in your page?

[Alliax]

Hi John, thank you for your PHP functions, I'll use them.
Althought breaking the HTML code can be annoying, when I said 'what do I have to
watch for?' I was thinking of malicious actions, like using server side include
to run program on the server and possibly erase the file of my web server.

My site is hosted on a linux box, php4.0.6 as an apache module.

I am aware that people wouldn't want to warn me about malicious techniques on a
public mailing list with archives. But that's something I would rather not learn
by experience, so feel free to mail me personnally if you think there's a
potential thread.

I haven't done all tests, but imagine if someone embed a javascript which
continuously reload the same page. If I have 200 visitors an hour then that may
overload the server.

Well you see I don't know exactly what to watch for. So if you know please share
your 'bad' experiences of hacking.

Thank you.

> |(I am thinking of some sort of server include, althought I don't
> |know well the
> |syntax used for them, but surely others know and could try)
> |for exemple, would something like this be a threat (assume I know
> |nothing of the
> |syntax) ?
> |<IMG SRC=http://www.server.com/image.gif
> |ALT="<!exec='/erase -everything -onServer'>" width="80">
> |
>
> Be careful what you put in the field that you draw alt="" text from. If that
> field has a ">" in it, the <img) tag you are writing the alt="" text into
> will be ended by that ">". I dunno what'd happen if you did
> htmlspecialchars() on it...if the character entities would print or
> translate when included as alt="" text...In IE 6, alt="&gt;" renders an
> images alt="" text as a ">", ymmv.