Bugtraq mailing list archives
Re: ASP Security Hole (PHP Too)
From: vittal.aithal () REVOLUTIONLTD COM (Vittal Aithal)
Date: Thu, 17 Feb 2000 08:58:59 -0000
Under Apache 1.2 and above, the Files directive can be used to prevent certain filenames being browsed: eg <Files ~ "\.inc$"> Order allow,deny Deny from all </Files> http://www.apache.org/docs/mod/core.html#files http://www.apache.org/docs/mod/core.html#filesmatch Just seems to me more elegant than associating .inc with a handler. Don't know if there's a similar mechanism under IIS though. vittal -- Vittal Aithal Revolution Ltd <tel: 020 7549 5800> <fax: 020 7549 5801> <vittal.aithal () revolutionltd com> <http://www.revolutionltd.com/> <v () aithal org> <http://www.bigfoot.com/~vittal.aithal/>
-----Original Message----- From: Joshua J. Drake [mailto:jdrake () QOOP ORG] The following is also true for PHP. Naming PHP include files .inc gives anyone full-read access to the files by simply requesting them by name. The solution of course is to do one of the following: a. name php include files with a PHP extension (.php, .php3, etc) that
is
associated with PHP parsing them b. associate .inc files with PHP so that they are parsed and not
displayed
Current thread:
- Re: ASP Security Hole (PHP Too) Vittal Aithal (Feb 17)