[13912] in bugtraq
Re: ASP Security Hole (PHP Too)
daemon@ATHENA.MIT.EDU (Alexander Leidinger)
Fri Feb 18 01:53:59 2000
Mime-Version: 1.0
Content-Type: TEXT/plain; charset=us-ascii
Message-Id: <200002171132.MAA02134@Magelan.Leidinger.net>
Date: Thu, 17 Feb 2000 12:32:42 +0100
Reply-To: Alexander Leidinger <Alexander@LEIDINGER.NET>
From: Alexander Leidinger <Alexander@LEIDINGER.NET>
X-To: jdrake@QOOP.ORG
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20000215224543.E7C7DB812@fear.qoop.org>
On 15 Feb, Joshua J. Drake wrote:
> The following is also true for PHP. Naming PHP include files .inc gives
> anyone full-read access to the files by simply requesting them by name.
>
> The solution of course is to do one of the following:
>
> a. name php include files with a PHP extension (.php, .php3, etc) that is
> associated with PHP parsing them
> b. associate .inc files with PHP so that they are parsed and not displayed
c. don't put include files below your DocumentRoot, use
php3_include_path (apache-modul) or include_path (php3.ini) instead.
Bye,
Alexander.
--
It is easier to fix Unix than to live with NT.
http://www.Leidinger.net Alexander+Home @ Leidinger.net
Key fingerprint = 7423 F3E6 3A7E B334 A9CC B10A 1F5F 130A A638 6E7E
