[17891] in bugtraq
Web based apps and include files.
daemon@ATHENA.MIT.EDU (Mads Bach)
Fri Dec 1 17:07:10 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <3A27E95E.45BFC06E@inder.net>
Date: Fri, 1 Dec 2000 19:10:05 +0100
Reply-To: Mads Bach <bach@INDER.NET>
From: Mads Bach <bach@INDER.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
When you're using included files with web based apps, make sure that those
files can't be accessed in such a way, that a user can get at the data
within. To prevent that, you could do one or more of the following:
- Place the include files outside of your webroot.
- Make sure your webserver won't serve up the include file as text (if
you're using Apache, you can add a handler or an action for .inc files, for instance).
- If your include file is a valid script file, which your server will parse,
make sure that it doesn't act on user-supplied parameters.
This won't help if your app has bugs that allow users to read arbitrary
files, but you have that kind of bugs, you have bigger problems than world
accessible include files.
/Mads
--
"Irix is about as stable as a one-legged drunk with hypothermia in a four-
hundred mile wind, balancing on a banana peel on a greased cookie sheet.
When someone throws him an elephant with bad breath and a worse temper."
-Simon Cozens in the Scary Devil Monastery
