Better still is to put your included files outside of the
DocumentRoot. The include() function won't care (that is,
include('/thefile.inc') includes the file 'thefile.inc' from
the root directory of the filesystem, not from the DocumentRoot).
It is usually possible to do this, even on the most braindead
of providers.
-- Matt
> -----Original Message-----
> From: * (todd+1) [mailto:todd@ubermother.net]
> Sent: Tuesday, October 02, 2001 9:29 PM
> To: genetics@genetics.ath.cx; bugtraq@securityfocus.com
> Subject: Re: results of semi-automatic source code audit
>
>
> : --=[solution]=--
> ........snip........
> : in some_function.inc:
> : if ( !defined("MAINFILE") ) die ("this is a include file!");
> : include(CONFIGDIR . "config.inc");
>
> I'm afraid I don't feel this is much of a solution, since
> most linux/apache
> servers are, by default, configured with no special handlers
> for files of
> type ".inc". If you really want to remove all security
> problems, make sure
> the include files are of type php so their contents will not
> be revealed
> simply by browsing to them. This is an easier solution than
> saying "or make
> sure your configuration files have handlers for 'inc' files"
> because in
> cohosting solutions, you have little say over the configration.
>
> todd[1]
>
>
