Bugtraq mailing list archives

Re: ASP Security Hole (PHP Too)

From: Alexander () LEIDINGER NET (Alexander Leidinger)
Date: Thu, 17 Feb 2000 12:32:42 +0100


On 15 Feb, Joshua J. Drake wrote:

The following is also true for PHP.  Naming PHP include files .inc gives
anyone full-read access to the files by simply requesting them by name.

The solution of course is to do one of the following:

  a.  name php include files with a PHP extension (.php, .php3, etc) that is
      associated with PHP parsing them
  b.  associate .inc files with PHP so that they are parsed and not displayed


c. don't put include files below your DocumentRoot, use
   php3_include_path (apache-modul) or include_path (php3.ini) instead.

Bye,
Alexander.

--
            It is easier to fix Unix than to live with NT.

http://www.Leidinger.net                  Alexander+Home @ Leidinger.net
  Key fingerprint = 7423 F3E6 3A7E B334 A9CC  B10A 1F5F 130A A638 6E7E

Current thread:

Re: ASP Security Hole (fwd) Justin King (Feb 10)
- Re: ASP Security Hole (PHP Too) Joshua J. Drake (Feb 15)
  - Re: ASP Security Hole (PHP Too) Daniel Austin (Feb 17)
  - Re: ASP Security Hole (PHP Too) Alexander Leidinger (Feb 17)
  - AIX SNMP Defaults (fwd) Dave G. (Feb 17)
  - New Allaire Security Zone Bulletin Aleph One (Feb 17)
- <Possible follow-ups>
- Re: ASP Security Hole (fwd) Mark L. VanScoyk (Feb 10)