[25288] in bugtraq
Re: PHP-Survey Database Access Vulnerability
daemon@ATHENA.MIT.EDU (Jens Knoell)
Fri Apr 26 19:23:58 2002
Message-ID: <00d401c1ed76$86c33b30$0264a8c0@wombie>
From: "Jens Knoell" <jens@ing.twinwave.net>
To: "MOD" <br014c1155@blueyonder.co.uk>, <bugtraq@securityfocus.com>
Date: Fri, 26 Apr 2002 17:03:03 -0600
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
From: "MOD" <br014c1155@blueyonder.co.uk>
> PHP-Survey is an online survey creation and management system written in
> PHP. It uses a MySQL database on backend for all data handling.
> Global.inc holds the database information, and settings for the survey's
> interface. Global.inc on default settings is not interpreted by PHP hence
> any user can make an HTTP request for global.inc and will be able to view
> the source code, hence the database password, username, localhost is
> revealed, and also superuser information for the administration of the
poll
> survey. A solution might be to rename global.inc to global.inc.php.
A better advice would probably be to make .inc files inaccessible for
webbrowsers. This is generally a good idea, as to the best of my knowledge
no web app ever sends .inc files for anything.
On Apache, this could be done with something like this:
<Files *.inc>
Order allow,deny
Deny from all
</Files>
Jens Knoell
