Re: [PHP] hacks we should know about

Tue, 21 Aug 2001 17:34:46 -0700 

There *SHOULD* be some directory outside htdocs you can get to...

Talk to your ISP to see if there is.

If not, create a directory and add Apache directives to Deny All access to
that directory.  Not as good, but better than nothing.

--
WARNING [EMAIL PROTECTED] address is an endangered species -- Use
[EMAIL PROTECTED]
Wanna help me out?  Like Music?  Buy a CD: http://l-i-e.com/artists.htm
Volunteer a little time: http://chatmusic.com/volunteer.htm
----- Original Message -----
From: Seb Frost <[EMAIL PROTECTED]>
Newsgroups: php.general
To: Rasmus Lerdorf <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Tuesday, August 21, 2001 12:25 PM
Subject: RE: [PHP] hacks we should know about


> I don't host my own site so how can I put include files outside of the web
> root?  I log on ftp and my top level IS the web root (htdocs), I can't go
> any higher.
>
> - seb
>
> -----Original Message-----
> From: Rasmus Lerdorf [mailto:[EMAIL PROTECTED]]
> Sent: 17 August 2001 05:01
> To: Bob
> Cc: [EMAIL PROTECTED]
> Subject: Re: [PHP] hacks we should know about
>
>
> > hi i found it very helpful to know about hacks such as the below list
> > and was wondering if anyone had any more dumb mistakes they could tell
> > us before we make them.
> >
> > 1. http://www.somesite.com/source.php3?url=/etc/passwd
> > 2. http://www.somesite.com?page=../../../../etc/passwd
> > 3. not setting .inc files to be parsed by php
>
> This is the wrong solution to securing include files.  The correct
> solution is to block any direct access to .inc files by either putting
> them outside your document root or by using an Apache deny rule.
>
> -Rasmus
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
>
>


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to