Bugtraq mailing list archives
RE: results of semi-automatic source code audit
From: "Matt Block" <blockdev () blockdev net>
Date: Wed, 3 Oct 2001 15:14:32 -0400
Better still is to put your included files outside of the DocumentRoot. The include() function won't care (that is, include('/thefile.inc') includes the file 'thefile.inc' from the root directory of the filesystem, not from the DocumentRoot). It is usually possible to do this, even on the most braindead of providers. -- Matt
-----Original Message----- From: * (todd+1) [mailto:todd () ubermother net] Sent: Tuesday, October 02, 2001 9:29 PM To: genetics () genetics ath cx; bugtraq () securityfocus com Subject: Re: results of semi-automatic source code audit : --=[solution]=-- ........snip........ : in some_function.inc: : if ( !defined("MAINFILE") ) die ("this is a include file!"); : include(CONFIGDIR . "config.inc"); I'm afraid I don't feel this is much of a solution, since most linux/apache servers are, by default, configured with no special handlers for files of type ".inc". If you really want to remove all security problems, make sure the include files are of type php so their contents will not be revealed simply by browsing to them. This is an easier solution than saying "or make sure your configuration files have handlers for 'inc' files" because in cohosting solutions, you have little say over the configration. todd[1]
Current thread:
- results of semi-automatic source code audit genetics (Oct 02)
- Re: results of semi-automatic source code audit todd+1 (Oct 03)
- RE: results of semi-automatic source code audit Matt Block (Oct 03)
- Re: results of semi-automatic source code audit todd+1 (Oct 03)