Imagemaps and security

Chuck Bearden cbearden at
Fri Dec 5 07:49:37 EST 1997

> Date:          Fri, 5 Dec 1997 09:27:34 -0800
> From:          "Mark Gooch" <Mark.Gooch at>

> I'm helping a local library set up their website and I  was wondering if
> anyone could tell me whether it is possible to create security holes in
> a website when installing imagemap software and its subsequent files on
> a server?  Also, does anyone have any recommendations for specific
> imagemap software?

I think that in the past, server-side image map software ran as a
cgi, in which case all depends on how securely the cgi was written
and how securely the server is configured to deal with cgis.  If
there is a vulnerability to this kind of app, it would probably
arise if someone diddled with the imagemap definition files in such
a way as to make the cgi go crazy with input it doesn't know how to
deal with.  If you ensure that only trusted and knowledgeable folks
can write to such a file, you are _probably_ okay.  

At present, Apache (the only server I really know) uses a compiled-in
module to handle server-side image maps, rather than an independent
cgi.  Provided you set up the handler for image maps correctly and
have a good imagemap definition file, you are all set--no extra
software needed on the server. I know of no security issues with
Apache's method of doing SS-image maps.  I am inclined to think that
as long as you have the server itself securely configured, the
image-map function in Apache would introduce no new vulnerabilities. 

Have you considered client-side image maps?  Newer browsers
(certainly NS & MS 3.0 or newer, and Lynx 2.6 and newer) support
these, and they might be easier to deal with than server-side maps. 

Chuck "no liability explicit or implied for above advice" Bearden

Chuck Bearden			
                                email: cbearden at
Network Services Librarian
Automation Department		voice: 713/247-2264
Houston Public Library		fax:   713/247-1182
500 McKinney Ave.
Houston, TX  77002		
      -=>HPL's Homepage:<=-

More information about the Web4lib mailing list