PDA

View Full Version : Security Issues



crosis_nz
01-24-2007, 10:07 PM
1) Image Thumbnail Viewer

2) http://www.dynamicdrive.com/dynamicindex4/thumbnail.htm

3) We are looking to use this script on our web server. I was just wondering if there are any known security issues or possible exploits we should be looking for? I cant see anything raised in previous posts and likewise have done a quick search on google. However where better to ask than the horses mouth, so to speak. Am happy to go with any recommendations you care to make.

Look forward to a reply.

ddadmin
01-24-2007, 10:30 PM
Well certainly none that I can conceive of. There is no Ajax/ server side interaction in this script at all that are typically where security needs to be looked at. All this script does is load an image inline on the page instead of the browser window itself (default).

Twey
01-24-2007, 10:51 PM
Yes, there is no way this script could be used to take advantage of your server.

The description is a little misleading, though: the code provided isn't actually HTML; it appears to be XHTML.

jscheuer1
01-25-2007, 05:47 AM
Yes, there is no way this script could be used to take advantage of your server.

The description is a little misleading, though: the code provided isn't actually HTML; it appears to be XHTML.

How so? Looks like an object driven javascript to me with HTML markup hooks. Oh and, suspiciously like lightbox.

Twey
01-25-2007, 12:25 PM
<link rel="stylesheet" href="thumbnailviewer.css" type="text/css" />

jscheuer1
01-25-2007, 03:42 PM
<link rel="stylesheet" href="thumbnailviewer.css" type="text/css" />

Oh that. Looks like (the new) tag soup on the part of a certain someone. You know as well as I do that just putting a short tag on a self-closing tag doesn't make something XHTML. It just makes it invalid if it isn't part of an XHTML document but, not to modern browsers.

Twey
01-25-2007, 04:38 PM
You know as well as I do that just putting a short tag on a self-closing tag doesn't make something XHTML. It just makes it invalid if it isn't part of an XHTML documentThus, without any contrary associated DOCTYPE or MIME-type, it's reasonable to assume that it was intended as XHTML. It's certainly not HTML, even if it may be error-corrected into such.

jscheuer1
01-25-2007, 05:03 PM
Either way, we should maybe take this to senior coders and let DD settle it. :) DD is credited with authorship on this one.

ddadmin
01-25-2007, 10:02 PM
I shall not lower myself down to the level of name calling- XHTML calling that is!

jscheuer1
01-25-2007, 11:01 PM
Chuckle.

Twey
01-26-2007, 10:59 AM
Heh. :)