Re: PHP-Survey Database Access Vulnerability

["Jens Knoell" <jens () ing twinwave net>]

From: "MOD" <br014c1155 () blueyonder co uk>
> PHP-Survey is an online survey creation and management system written in
> PHP. It uses a MySQL database on backend for all data handling.
> Global.inc holds the database information, and settings for the survey's
> interface. Global.inc on default settings is not interpreted by PHP hence
> any user can make an HTTP request for global.inc and will be able to view
> the source code, hence the database password, username, localhost is
> revealed, and also superuser information for the administration of the
poll
> survey. A solution might be to rename global.inc to global.inc.php.

A better advice would probably be to make .inc files inaccessible for
webbrowsers. This is generally a good idea, as to the best of my knowledge
no web app ever sends .inc files for anything.

On Apache, this could be done with something like this:
<Files *.inc>
    Order allow,deny
    Deny from all
</Files>

Jens Knoell