>>> <[EMAIL PROTECTED]> 12/08/2004 07:45:20 >>> > In case where the > HTML file is an PHP, or an .index.php.swp is found, values like DB > usernames/passwords, security mechanism or worse might be revealed to the > user requesting the file.
> What can you do? > There isn't much you can do beside: > 1) Avoid leaving these files behind > 2) Make rules in Apache/whatever to block access to .swp, ~, etc files. A "fix", really a bit of coding discipline, from my previous employers': Every .php file that Apache could see just included the .inc file of the same name. Includes were in a directory not accessible by Apache. Very easy to automate with a script too -- a bit of find | sed | xargs can make sure all the .inc files had a respective .php in the "www root" directory that Apache could read. Has the additional advantage that if your .PHP interpreter breaks and Apache starts serving the files as-is, again you don't lose your source code to your customers/the internet/etc. Marek _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
