Re: ASP Security Hole (PHP Too)

From: Vittal Aithal (vittal.aithalat_private)
Date: Thu Feb 17 2000 - 00:58:59 PST

Next message: Brock Sides: "Re: perl-cgi hole in UltimateBB by Infopop Corp."

Previous message: Dragos Ruiu: "Re: Packet Tracing (linux klog patch)"
Next in thread: Alexander Leidinger: "Re: ASP Security Hole (PHP Too)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Under Apache 1.2 and above, the Files directive can be used to prevent
certain filenames being browsed:

eg

<Files ~ "\.inc$">
    Order allow,deny
    Deny from all
</Files>

http://www.apache.org/docs/mod/core.html#files
http://www.apache.org/docs/mod/core.html#filesmatch

Just seems to me more elegant than associating .inc with a handler. Don't
know if there's a similar mechanism under IIS though.


vittal

--
Vittal Aithal
Revolution Ltd <tel: 020 7549 5800> <fax: 020 7549 5801>
<vittal.aithalat_private> <http://www.revolutionltd.com/>
<vat_private> <http://www.bigfoot.com/~vittal.aithal/>

> -----Original Message-----
> From: Joshua J. Drake [mailto:jdrakeat_private]
>
> The following is also true for PHP.  Naming PHP include files
> .inc gives anyone full-read access to the files by simply requesting
> them by name.
>
> The solution of course is to do one of the following:
>
>   a.  name php include files with a PHP extension (.php, .php3, etc) that
is
>       associated with PHP parsing them
>   b.  associate .inc files with PHP so that they are parsed and not
displayed

Next message: Brock Sides: "Re: perl-cgi hole in UltimateBB by Infopop Corp."
Previous message: Dragos Ruiu: "Re: Packet Tracing (linux klog patch)"
Next in thread: Alexander Leidinger: "Re: ASP Security Hole (PHP Too)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:35:34 PDT