[thelist] stm vs htm for includes on IIS

Anthony Baratta Anthony at Baratta.com
Mon Jul 24 11:04:34 CDT 2000


Alex & Adrian wrote:
> 
> Hi all,
> 
> We are on an IIS web server at work.
> There has been some debate regarding sercurity issues with running
> server includes on IIS in .htm files.
> Apparently there is a sercurity risk if you do - but it's not a problem
> if your using the .stm extension.

That is the most screwy logic I have ever seen. (OK not the most, but ranks in the
top 20.)

Why would one extension be more secure than another? Especially since its on a MS OS?

Anyway - SSIs are not a security risk to via the client. They are a security risk
because those implementing them may to something stupid. If a hacker wanted to abuse
SSIs, he'd have to have control of the OS (at least remote control or telnet) and if
you've got control of the OS, why do you need to hack the SSIs???

Just run all your pages as ASP anyway. They are parsed for SSIs by default and you
don't need to d*ck around with stupid logic. You don't need to actually have ASP code
in the HTML. Yeah you might take a 'slight' performance hit because its going through
ASP Parser, but who cares. (To continue the stupid logic rant, is ASP more secure
than .stm??? ASP allows ANYTHING to run that's written in proper vbscript. You can
destroy a whole machine with a malicious vb script! Again requires control of the OS,
but makes stm versus htm pale in comparison. Oh give me a flipping break!)

-- 
Anthony Baratta
President
KeyBoard Jockeys
                    South Park Speaks Version 3 is here!!!
                       http://www.baratta.com/southpark
                              Powered by Tsunami




More information about the thelist mailing list