[24232] in bugtraq
Re: Advisory #3 - PHP & JSP
daemon@ATHENA.MIT.EDU (Ryan Fox)
Sun Feb 10 03:47:54 2002
Message-ID: <00e301c1b0c7$4151e0b0$1701a8c0@noguska.com>
From: "Ryan Fox" <rfox@noguska.com>
To: "Paul Brereton" <brereton_paul@btopenworld.com>,
<bugtraq@securityfocus.com>
Date: Fri, 8 Feb 2002 12:37:18 -0500
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
> Solution:
> Use hard coded directory paths in the 'include' statements you use (same
> goes for the 'require' statements).
For PHP, good security practices include setting display_errors = Off in the
php.ini configuration file. This will prevent errors such as this from
displaying, resulting in no path information leaking to the client.
Cheers,
Ryan Fox
