[22788] in bugtraq
RE: results of semi-automatic source code audit
daemon@ATHENA.MIT.EDU (Matt Block)
Thu Oct 4 00:44:02 2001
From: "Matt Block" <blockdev@blockdev.net>
To: <todd@ubermother.net>, <genetics@genetics.ath.cx>,
<bugtraq@securityfocus.com>
Date: Wed, 3 Oct 2001 15:14:32 -0400
Message-ID: <00d601c14c3f$a1e562e0$6400000a@internal.home.blockdev.net>
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
In-Reply-To: <01100221290308.05588@ubermother.net>
Better still is to put your included files outside of the
DocumentRoot. The include() function won't care (that is,
include('/thefile.inc') includes the file 'thefile.inc' from
the root directory of the filesystem, not from the DocumentRoot).
It is usually possible to do this, even on the most braindead
of providers.
-- Matt
> -----Original Message-----
> From: * (todd+1) [mailto:todd@ubermother.net]
> Sent: Tuesday, October 02, 2001 9:29 PM
> To: genetics@genetics.ath.cx; bugtraq@securityfocus.com
> Subject: Re: results of semi-automatic source code audit
>
>
> : --=[solution]=--
> ........snip........
> : in some_function.inc:
> : if ( !defined("MAINFILE") ) die ("this is a include file!");
> : include(CONFIGDIR . "config.inc");
>
> I'm afraid I don't feel this is much of a solution, since
> most linux/apache
> servers are, by default, configured with no special handlers
> for files of
> type ".inc". If you really want to remove all security
> problems, make sure
> the include files are of type php so their contents will not
> be revealed
> simply by browsing to them. This is an easier solution than
> saying "or make
> sure your configuration files have handlers for 'inc' files"
> because in
> cohosting solutions, you have little say over the configration.
>
> todd[1]
>
>
