Re: results of semi-automatic source code audit

From: todd+1 (toddat_private)
Date: Tue Oct 02 2001 - 18:29:03 PDT

Next message: Cisco Systems Product Security Incident Response Team: "Cisco Security Advisory: Cisco PIX Firewall Authentication Denial of Service Vulnerability"

Previous message: Tony Lambiris: "AIM 0day DoS"
In reply to: geneticsat_private: "results of semi-automatic source code audit"
Next in thread: Matt Block: "RE: results of semi-automatic source code audit"
Reply: Matt Block: "RE: results of semi-automatic source code audit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

: --=[solution]=--
........snip........
:   in some_function.inc:
:     if ( !defined("MAINFILE") ) die ("this is a include file!");
:     include(CONFIGDIR . "config.inc");

I'm afraid I don't feel this is much of a solution, since most linux/apache 
servers are, by default, configured with no special handlers for files of 
type ".inc".  If you really want to remove all security problems, make sure 
the include files are of type php so their contents will not be revealed 
simply by browsing to them.  This is an easier solution than saying "or make 
sure your configuration files have handlers for 'inc' files" because in 
cohosting solutions, you have little say over the configration.

todd[1]

Next message: Cisco Systems Product Security Incident Response Team: "Cisco Security Advisory: Cisco PIX Firewall Authentication Denial of Service Vulnerability"
Previous message: Tony Lambiris: "AIM 0day DoS"
In reply to: geneticsat_private: "results of semi-automatic source code audit"
Next in thread: Matt Block: "RE: results of semi-automatic source code audit"
Reply: Matt Block: "RE: results of semi-automatic source code audit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Oct 03 2001 - 09:04:00 PDT