on 11/14/2000 11:23 PM, "Leon Atkinson" <[EMAIL PROTECTED]> wrote:
>> 1. security - at least 5 times now i've been able to find out people's
>> db name/login by requesting the "/modules/include/global_settings"
>> file. without an extension, most servers send it as text. easily
>> fixed, but it doesn't seem good to have FT install with such a
>> big security hole.
>
> But the real security hole is the people are mistakenly putting the modules
> directory in the Web server path. This should never be done, even if
> there are .php extensions.
Leon, maybe you should add a check that makes sure that that file doesn't
live in $DOCUMENT_ROOT/modules/include/global_settings.
Obviously this is a major security hole and there are at least 5 idiots on
this planet who can't understand that. :-)
-jon
--
twice of not very much is still a lot more than not very much
------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Site: http://www.working-dogs.com/freetrade/
Problems?: [EMAIL PROTECTED]
