Fixing stupid PHP application design flaws
What do people on this list think about fixing PHP include files in a
DSA that are accessible via HTTP as well and contain one bug or
another as they are not supposed to be accessible via HTTP but
I'm rather annoyed by the lack of comptence of some PHP coders who
manage their project in a way so that include files are stored within
the regular DocumentRoot and are hencely accessible via HTTP as well.
Include files normally also don't contain any precaution about being
These files should not be accessible via HTTP in the first place but
put into /usr/share/something instead and included from there.
As examples see the following problems:
CAN-2005-0459 - information disclosure in phpmyadmin
CAN-2005-0870 - cross site scripting in phpsysinfo
Everybody talks about it, but nobody does anything about it! -- Mark Twain
Please always Cc to me when replying to me on the lists.