[Javascript] ssi, layers, table alternative to frames

Michael Dougherty Michael_Dougherty at PBP.com
Mon Apr 14 20:48:27 CDT 2003 

More inherently insecure than unpatched software?  I can't understand how
SSI is any more dangerous in a controlled environment than any other kind of
active content.  <!-- #include virtual="/inc/TooLazyToRetype.htm" -->
shouldn't be posing much security threat.  http://url/crackers/utility.asp
would be a far worse thing to have running.  If this is listed as a drawback
to using SSI, then i would suggest the administrator just disconnect the
ethernet from the box or turn it off altogether...

"Just a thought"

-----Original Message-----
From: javascript at LaTech.edu [mailto:javascript at LaTech.edu]
Sent: Monday, April 14, 2003 9:23 PM
To: javascript at latech.edu
Subject: Re: [Javascript] ssi, layers, table alternative to frames



As an added downside of SSI's -- they are NOTORIOUSLY insecure.  When I
first
started honing my teeth on browser exploits for my computer security
training,
the very start of the discussion was on the many easy and exciting ways to
crack a system that had SSI's in place and operational.  Although I've
forgotten
much of what I learned during that series of CSI seminars, the frightening
simplicity of the exploits involved still sends shivers up my spine --
particularly
when I hear well-meaning folks relying on those self-same server-side
includes
today.  (Sort of the same frisson I get from finding someone enabling
anonymous
FTP on a host that doesn't have backwards-path exclusion turned on).

When I look through the latest Apache "Black Book", it still warns against
enabling
SSI's except for the simplest of things.  Most military and government
systems
have a flat-out edict against SSI's, period -- for precisely that reason.
Next to
buffer-overflow exploits, SSI's are a hacker's (oops! I mean a
"cracker's") best
friend.

-- Dave Lovering

P.S: I like frames too, and it took me a long time to learn to say that!

"McCoy, Thomas" wrote:
>>
>> I love frames.  Seriously!
>>
>> *ducks to avoid flaming*
>>
>> I choose frames over SSI on the library's site because our server that
>> processed the includes is SLOW...  SSI processing added 3 seconds on
>each
>> page load :(  I might be in the minority (having an ancient server),
>but I'd
>> test the load speed before committing to anything.  The delay wasn't too
>> noticeable until we went live... all those page requests made the
>server go
>> chugga-chugga-chugga :(
>>
>>
>> Sincerely,
>> Thomas McCoy
>> www.city.newport-beach.ca.us/nbpl/
>>
>>
>> -----Original Message-----
>>
>> I'm sure you're already aware of the problems associated with using
>> frames...
>> _______________________________________________
>> Javascript mailing list
>> Javascript at LaTech.edu
>> https://lists.LaTech.edu/mailman/listinfo/javascript
_______________________________________________
Javascript mailing list
Javascript at LaTech.edu
https://lists.LaTech.edu/mailman/listinfo/javascript

More information about the Javascript mailing list