Re: prevent user from getting scripts outside the web folder

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Graham Anderson wrote:
How does a hacker get access to your scripts located outside the web folder?
I asked a friend to hack my php script within the web folder...


er. why don't you *#@%*&#(%*&!@#^%(_*^#()% %   er ask him.


all of my crucial function were called by:
require_once("/home/siren/includes/fonovisa.inc");
the 'encrypt' functions are MCRYPT_RIJNDAEL_256

He was able to get access to the 'fonovisa.inc' php script [outside the web folder] and all the stuff inside Based on my current knowledge, my security breaches are probably big enough to drive a truck through :(


how can I prevent this ?

santize your input - make sure your webserver is secure.
don't give php files a .inc extension if you don't know what your doing.

your probably doing the equivelant of (although some what less obviously):

<?

echo get_file_contents( $_GET['anyfileyoulike'] );

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux