[22774] in bugtraq
Re: results of semi-automatic source code audit
daemon@ATHENA.MIT.EDU (* (todd+1))
Wed Oct 3 12:00:28 2001
Content-Type: text/plain;
charset="iso-8859-1"
From: * (todd+1) <todd@ubermother.net>
Reply-To: todd@ubermother.net
To: genetics@genetics.ath.cx, bugtraq@securityfocus.com
Date: Tue, 2 Oct 2001 21:29:03 -0400
In-Reply-To: <200110022159.f92Lx9K18556@genetics.ath.cx>
MIME-Version: 1.0
Message-Id: <01100221290308.05588@ubermother.net>
Content-Transfer-Encoding: 8bit
: --=[solution]=--
........snip........
: in some_function.inc:
: if ( !defined("MAINFILE") ) die ("this is a include file!");
: include(CONFIGDIR . "config.inc");
I'm afraid I don't feel this is much of a solution, since most linux/apache
servers are, by default, configured with no special handlers for files of
type ".inc". If you really want to remove all security problems, make sure
the include files are of type php so their contents will not be revealed
simply by browsing to them. This is an easier solution than saying "or make
sure your configuration files have handlers for 'inc' files" because in
cohosting solutions, you have little say over the configration.
todd[1]
