Bugtraq mailing list archives
Web based apps and include files.
From: Mads Bach <bach () INDER NET>
Date: Fri, 1 Dec 2000 19:10:05 +0100
When you're using included files with web based apps, make sure that those files can't be accessed in such a way, that a user can get at the data within. To prevent that, you could do one or more of the following: - Place the include files outside of your webroot. - Make sure your webserver won't serve up the include file as text (if you're using Apache, you can add a handler or an action for .inc files, for instance). - If your include file is a valid script file, which your server will parse, make sure that it doesn't act on user-supplied parameters. This won't help if your app has bugs that allow users to read arbitrary files, but you have that kind of bugs, you have bigger problems than world accessible include files. /Mads -- "Irix is about as stable as a one-legged drunk with hypothermia in a four- hundred mile wind, balancing on a banana peel on a greased cookie sheet. When someone throws him an elephant with bad breath and a worse temper." -Simon Cozens in the Scary Devil Monastery
Current thread:
- Web based apps and include files. Mads Bach (Dec 02)
- Re: Web based apps and include files. Mads Bach (Dec 05)