Home page logo

bugtraq logo Bugtraq mailing list archives

Re: ASP Security Hole (PHP Too)
From: Alexander () LEIDINGER NET (Alexander Leidinger)
Date: Thu, 17 Feb 2000 12:32:42 +0100

On 15 Feb, Joshua J. Drake wrote:
The following is also true for PHP.  Naming PHP include files .inc gives
anyone full-read access to the files by simply requesting them by name.

The solution of course is to do one of the following:

  a.  name php include files with a PHP extension (.php, .php3, etc) that is
      associated with PHP parsing them
  b.  associate .inc files with PHP so that they are parsed and not displayed

c. don't put include files below your DocumentRoot, use
   php3_include_path (apache-modul) or include_path (php3.ini) instead.


            It is easier to fix Unix than to live with NT.

http://www.Leidinger.net                  Alexander+Home @ Leidinger.net
  Key fingerprint = 7423 F3E6 3A7E B334 A9CC  B10A 1F5F 130A A638 6E7E

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]