RE: results of semi-automatic source code audit

["Matt Block" <blockdev () blockdev net>]

Better still is to put your included files outside of the
DocumentRoot.  The include() function won't care (that is,
include('/thefile.inc') includes the file 'thefile.inc' from
the root directory of the filesystem, not from the DocumentRoot).
It is usually possible to do this, even on the most braindead
of providers.

  -- Matt

> -----Original Message-----
> From: * (todd+1) [mailto:todd () ubermother net] 
> Sent: Tuesday, October 02, 2001 9:29 PM
> To: genetics () genetics ath cx; bugtraq () securityfocus com
> Subject: Re: results of semi-automatic source code audit
>
>
> : --=[solution]=--
> ........snip........
> :   in some_function.inc:
> :     if ( !defined("MAINFILE") ) die ("this is a include file!");
> :     include(CONFIGDIR . "config.inc");
>
> I'm afraid I don't feel this is much of a solution, since 
> most linux/apache 
> servers are, by default, configured with no special handlers 
> for files of 
> type ".inc".  If you really want to remove all security 
> problems, make sure 
> the include files are of type php so their contents will not 
> be revealed 
> simply by browsing to them.  This is an easier solution than 
> saying "or make 
> sure your configuration files have handlers for 'inc' files" 
> because in 
> cohosting solutions, you have little say over the configration.
>
> todd[1]