[thelist] RE: PHP Problem
Oliver Lineham
oliver at lineham.co.nz
Fri Nov 17 19:20:50 CST 2000
At 19:40 17/11/2000 +0100, you wrote:
>Some day the database quitted its service for some hours, and when I
>looked at the pages, I was a bit shocked: The error message pointed
>to the include file, and when I clicked on the URL which was shown,
>voilà - the include file *with db password* was presented!
a) did the include file have <?php and ?> around the php code?
b) what was the suffix of the include file?
if it wasn't .php3 or something, your system was always vulnerable from
someone guessing the path to the include file.
there are two recommended solutions:
- name include files with a php suffix so that if someone loads it
directly, it gets parsed by PHP and sensitive data (like passwords) doesn't
get displayed.
- files with sensitive code should be stored outside of the web root (so
people can't access the file directly with a browser). then, even if your
webserver stops parsing PHP files (maybe the server got upgraded badly)
people still can't access the file.
these two techniques also apply to ASP.
</ol>
____________________________________________________
v i b e m e d i a http://www.vibe.co.nz/
po box 10-492 wellington, new zealand
phone +64 21 210-7845 oliver at lineham.co.nz
More information about the thelist
mailing list