[13897] in bugtraq
Re: ASP Security Hole (PHP Too)
daemon@ATHENA.MIT.EDU (Vittal Aithal)
Thu Feb 17 22:03:28 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Message-Id: <7BA9B1EB0C03D3119AA50090276DCBE865707D@RMAIL2>
Date: Thu, 17 Feb 2000 08:58:59 -0000
Reply-To: Vittal Aithal <vittal.aithal@REVOLUTIONLTD.COM>
From: Vittal Aithal <vittal.aithal@REVOLUTIONLTD.COM>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
Under Apache 1.2 and above, the Files directive can be used to prevent
certain filenames being browsed:
eg
<Files ~ "\.inc$">
Order allow,deny
Deny from all
</Files>
http://www.apache.org/docs/mod/core.html#files
http://www.apache.org/docs/mod/core.html#filesmatch
Just seems to me more elegant than associating .inc with a handler. Don't
know if there's a similar mechanism under IIS though.
vittal
--
Vittal Aithal
Revolution Ltd <tel: 020 7549 5800> <fax: 020 7549 5801>
<vittal.aithal@revolutionltd.com> <http://www.revolutionltd.com/>
<v@aithal.org> <http://www.bigfoot.com/~vittal.aithal/>
> -----Original Message-----
> From: Joshua J. Drake [mailto:jdrake@QOOP.ORG]
>
> The following is also true for PHP. Naming PHP include files
> .inc gives anyone full-read access to the files by simply requesting
> them by name.
>
> The solution of course is to do one of the following:
>
> a. name php include files with a PHP extension (.php, .php3, etc) that
is
> associated with PHP parsing them
> b. associate .inc files with PHP so that they are parsed and not
displayed
