[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Fixing stupid PHP application design flaws


What do people on this list think about fixing PHP include files in a
DSA that are accessible via HTTP as well and contain one bug or
another as they are not supposed to be accessible via HTTP but
accidently are.

I'm rather annoyed by the lack of comptence of some PHP coders who
manage their project in a way so that include files are stored within
the regular DocumentRoot and are hencely accessible via HTTP as well.
Include files normally also don't contain any precaution about being
"executed" standalone.

These files should not be accessible via HTTP in the first place but
put into /usr/share/something instead and included from there.

As examples see the following problems:

CAN-2005-0459 - information disclosure in phpmyadmin
CAN-2005-0870 - cross site scripting in phpsysinfo



Everybody talks about it, but nobody does anything about it!  -- Mark Twain

Please always Cc to me when replying to me on the lists.

Reply to: