Bugtraq mailing list archives
Re: PHP-Survey Database Access Vulnerability
From: "Jens Knoell" <jens () ing twinwave net>
Date: Fri, 26 Apr 2002 17:03:03 -0600
From: "MOD" <br014c1155 () blueyonder co uk>
PHP-Survey is an online survey creation and management system written in PHP. It uses a MySQL database on backend for all data handling. Global.inc holds the database information, and settings for the survey's interface. Global.inc on default settings is not interpreted by PHP hence any user can make an HTTP request for global.inc and will be able to view the source code, hence the database password, username, localhost is revealed, and also superuser information for the administration of the
poll
survey. A solution might be to rename global.inc to global.inc.php.
A better advice would probably be to make .inc files inaccessible for webbrowsers. This is generally a good idea, as to the best of my knowledge no web app ever sends .inc files for anything. On Apache, this could be done with something like this: <Files *.inc> Order allow,deny Deny from all </Files> Jens Knoell
Current thread:
- PHP-Survey Database Access Vulnerability MOD (Apr 26)
- Re: PHP-Survey Database Access Vulnerability Jens Knoell (Apr 26)