Security Issues

**crosis_nz** · 01-24-2007, 10:07 PM

1) Image Thumbnail Viewer

2) http://www.dynamicdrive.com/dynamicindex4/thumbnail.htm

3) We are looking to use this script on our web server. I was just wondering if there are any known security issues or possible exploits we should be looking for? I cant see anything raised in previous posts and likewise have done a quick search on google. However where better to ask than the horses mouth, so to speak. Am happy to go with any recommendations you care to make.

Look forward to a reply.

**ddadmin** · 01-24-2007, 10:30 PM

Well certainly none that I can conceive of. There is no Ajax/ server side interaction in this script at all that are typically where security needs to be looked at. All this script does is load an image inline on the page instead of the browser window itself (default).

**Twey** · 01-24-2007, 10:51 PM

Yes, there is no way this script could be used to take advantage of your server.

The description is a little misleading, though: the code provided isn't actually HTML; it appears to be XHTML.

**jscheuer1** · 01-25-2007, 05:47 AM

Originally Posted by Twey

Yes, there is no way this script could be used to take advantage of your server.

The description is a little misleading, though: the code provided isn't actually HTML; it appears to be XHTML.

How so? Looks like an object driven javascript to me with HTML markup hooks. Oh and, suspiciously like lightbox.

**Twey** · 01-25-2007, 12:25 PM

Code:

<link rel="stylesheet" href="thumbnailviewer.css" type="text/css" />

**jscheuer1** · 01-25-2007, 03:42 PM

Originally Posted by Twey

Code:

<link rel="stylesheet" href="thumbnailviewer.css" type="text/css" />

Oh that. Looks like (the new) tag soup on the part of a certain someone. You know as well as I do that just putting a short tag on a self-closing tag doesn't make something XHTML. It just makes it invalid if it isn't part of an XHTML document but, not to modern browsers.

**Twey** · 01-25-2007, 04:38 PM

You know as well as I do that just putting a short tag on a self-closing tag doesn't make something XHTML. It just makes it invalid if it isn't part of an XHTML document

Thus, without any contrary associated DOCTYPE or MIME-type, it's reasonable to assume that it was intended as XHTML. It's certainly not HTML, even if it may be error-corrected into such.