Home page logo

bugtraq logo Bugtraq mailing list archives

Re: ASP Security Hole (PHP Too)
From: vittal.aithal () REVOLUTIONLTD COM (Vittal Aithal)
Date: Thu, 17 Feb 2000 08:58:59 -0000

Under Apache 1.2 and above, the Files directive can be used to prevent
certain filenames being browsed:


<Files ~ "\.inc$">
    Order allow,deny
    Deny from all


Just seems to me more elegant than associating .inc with a handler. Don't
know if there's a similar mechanism under IIS though.


Vittal Aithal
Revolution Ltd <tel: 020 7549 5800> <fax: 020 7549 5801>
<vittal.aithal () revolutionltd com> <http://www.revolutionltd.com/>
<v () aithal org> <http://www.bigfoot.com/~vittal.aithal/>

-----Original Message-----
From: Joshua J. Drake [mailto:jdrake () QOOP ORG]

The following is also true for PHP.  Naming PHP include files
.inc gives anyone full-read access to the files by simply requesting
them by name.

The solution of course is to do one of the following:

  a.  name php include files with a PHP extension (.php, .php3, etc) that
      associated with PHP parsing them
  b.  associate .inc files with PHP so that they are parsed and not

  By Date           By Thread  

Current thread:
  • Re: ASP Security Hole (PHP Too) Vittal Aithal (Feb 17)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]