Re: ASP Security Hole (PHP Too)

From: Alexander Leidinger (Alexanderat_private)
Date: Thu Feb 17 2000 - 03:32:42 PST

Next message: der Mouse: "Re: FireWall-1 FTP Server Vulnerability"

Previous message: Michal Zalewski: "Re: AIX SNMP Defaults"
Next in thread: Daniel Austin: "Re: ASP Security Hole (PHP Too)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 15 Feb, Joshua J. Drake wrote:
> The following is also true for PHP.  Naming PHP include files .inc gives
> anyone full-read access to the files by simply requesting them by name.
>
> The solution of course is to do one of the following:
>
>   a.  name php include files with a PHP extension (.php, .php3, etc) that is
>       associated with PHP parsing them
>   b.  associate .inc files with PHP so that they are parsed and not displayed

c. don't put include files below your DocumentRoot, use
   php3_include_path (apache-modul) or include_path (php3.ini) instead.

Bye,
Alexander.

--
            It is easier to fix Unix than to live with NT.

http://www.Leidinger.net                  Alexander+Home @ Leidinger.net
  Key fingerprint = 7423 F3E6 3A7E B334 A9CC  B10A 1F5F 130A A638 6E7E

Next message: der Mouse: "Re: FireWall-1 FTP Server Vulnerability"
Previous message: Michal Zalewski: "Re: AIX SNMP Defaults"
Next in thread: Daniel Austin: "Re: ASP Security Hole (PHP Too)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:35:37 PDT