On Thu, Apr 28, 2005 at 03:15:08PM +0200, Martin Schulze wrote: > Hey! > > What do people on this list think about fixing PHP include files in a > DSA that are accessible via HTTP as well and contain one bug or > another as they are not supposed to be accessible via HTTP but > accidently are. > > I'm rather annoyed by the lack of comptence of some PHP coders who > manage their project in a way so that include files are stored within > the regular DocumentRoot and are hencely accessible via HTTP as well. > Include files normally also don't contain any precaution about being > "executed" standalone. > > These files should not be accessible via HTTP in the first place but > put into /usr/share/something instead and included from there.
I don't think that those include files are per definition a problem -- a well-managed project will only ship 'stock' include files only containing functions, whether the user gets to see the source of it, or it's being executed, it doesn't hurt. Of course, it's different if this is not the case (non-function stuff in include files). I'd myself be inclined to advice to only fix those cases where there might be a potential problem. A lot of PHP web applications are designed by upstream to be simply untarreable in the place where the URL is supposed to be, and as such have include files necessarily http-accessible. It's sometimes hard for packagers to fix this, and when the include fiels cannot do harm, I don't see why. It'd be wise for those projects to take the extra precaution by allowing (and the Debian maintainer to do so) include files outside the web root, but to DSA for such a thing when there might not even be a vulnerability at all, seems premature to me. It'd be like fixing all uses of sprintf because the programmer could have used snprintf to be more sure there is no problem. > As examples see the following problems: > > CAN-2005-0459 - information disclosure in phpmyadmin This is a non-vuln in Debian -- everyone who guesses the server runs Debian (by default, apache discloses that), knows the exact webpath: /usr/share/phpmyadmin. No surprise by leaking that (besides the fact that hiding it is security by obscurity). > CAN-2005-0870 - cross site scripting in phpsysinfo Yeah, that can be a real problem, and would probably warrant a fix -- most non-disruptive would be to prevent non-main include protection (by defining a constant in the main sites, and checking for that one in the include files). --Jeroen -- Jeroen van Wolffelaar [EMAIL PROTECTED] (also for Jabber & MSN; ICQ: 33944357) http://Jeroen.A-Eskwadraat.nl -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
