Re: Advisory #3 - PHP & JSP

From: Ryan Fox (rfoxat_private)
Date: Fri Feb 08 2002 - 09:37:18 PST

Next message: Jason Hicks: "Re: Mrtg Path Disclosure Vulnerability"

Previous message: dzzieat_private: "Re: HELP ! : Trojanised HTML: Internet Exporer 5 and 6 [technical exercise]"
In reply to: Paul Brereton: "Advisory #3 - PHP & JSP"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> Solution:
> Use hard coded directory paths in the 'include' statements you use (same
> goes for the 'require' statements).

For PHP, good security practices include setting display_errors = Off in the
php.ini configuration file.  This will prevent errors such as this from
displaying, resulting in no path information leaking to the client.

Cheers,
Ryan Fox

Next message: Jason Hicks: "Re: Mrtg Path Disclosure Vulnerability"
Previous message: dzzieat_private: "Re: HELP ! : Trojanised HTML: Internet Exporer 5 and 6 [technical exercise]"
In reply to: Paul Brereton: "Advisory #3 - PHP & JSP"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Feb 10 2002 - 00:36:53 PST