Hey! What do people on this list think about fixing PHP include files in a DSA that are accessible via HTTP as well and contain one bug or another as they are not supposed to be accessible via HTTP but accidently are.
I'm rather annoyed by the lack of comptence of some PHP coders who manage their project in a way so that include files are stored within the regular DocumentRoot and are hencely accessible via HTTP as well. Include files normally also don't contain any precaution about being "executed" standalone. These files should not be accessible via HTTP in the first place but put into /usr/share/something instead and included from there. As examples see the following problems: CAN-2005-0459 - information disclosure in phpmyadmin CAN-2005-0870 - cross site scripting in phpsysinfo Regards, Joey -- Everybody talks about it, but nobody does anything about it! -- Mark Twain Please always Cc to me when replying to me on the lists. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]