Fixing stupid PHP application design flaws

To: Debian Security <debian-security@lists.debian.org>
Subject: Fixing stupid PHP application design flaws
From: Martin Schulze <joey@infodrom.org>
Date: Thu, 28 Apr 2005 15:15:08 +0200
Message-id: <[🔎] 20050428131508.GQ7744@finlandia.infodrom.north.de>
Mail-followup-to: joey@debian.org, Debian Security <debian-security@lists.debian.org>

Hey!

What do people on this list think about fixing PHP include files in a
DSA that are accessible via HTTP as well and contain one bug or
another as they are not supposed to be accessible via HTTP but
accidently are.

I'm rather annoyed by the lack of comptence of some PHP coders who
manage their project in a way so that include files are stored within
the regular DocumentRoot and are hencely accessible via HTTP as well.
Include files normally also don't contain any precaution about being
"executed" standalone.

These files should not be accessible via HTTP in the first place but
put into /usr/share/something instead and included from there.

As examples see the following problems:

CAN-2005-0459 - information disclosure in phpmyadmin
CAN-2005-0870 - cross site scripting in phpsysinfo

Regards,

	Joey

-- 
Everybody talks about it, but nobody does anything about it!  -- Mark Twain

Please always Cc to me when replying to me on the lists.

Reply to:

Follow-Ups:
- Re: Fixing stupid PHP application design flaws
  - From: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
- Re: Fixing stupid PHP application design flaws
  - From: Henrique de Moraes Holschuh <hmh@debian.org>
- Re: Fixing stupid PHP application design flaws
  - From: Hans Spaans <cj.spaans@nexit.nl>

Prev by Date: Re: Dns refresh
Next by Date: Re: Fixing stupid PHP application design flaws
Previous by thread: Re: Dns refresh
Next by thread: Re: Fixing stupid PHP application design flaws
Index(es):
- Date
- Thread