Yep, and then you show off your super elite php build with phpinfo() and
get to see ALL the environment variables of the user that apache was
started as.  How wonderful!

Just require_once() your connection scripts if you're going to
highlight_file or give a phps.

Other methods are just plain stupid.  I hope everyone on php-dev@ agrees
that this isn't a "vulnerability"

Met vriendelijke groeten,

Devon H. O'Dell
sitetronics.com

Original Message:
-----------------
From: Jedi/Sector One [EMAIL PROTECTED]
Date: Thu, 19 Sep 2002 20:02:22 +0200
To: [EMAIL PROTECTED]
Subject: Re: [PHP-DEV] Thread Reading


On Thu, Sep 19, 2002 at 01:56:03PM -0400, [EMAIL PROTECTED] wrote:
> This is a security standard that is already inherent in the current phps
> version.  It is also not the job of PHP to save people from themselves.

  And sensitive cleartext data like SQL passwords can always be passed
through environment variables. For instance, Apache has the 'Setenv'
directive to set this, and the httpd.conf file can be made only readable by
root.

  That way, publishing the source code doesn't reveal anything.

-- 
 __  /*-      Frank DENIS (Jedi/Sector One) <[EMAIL PROTECTED]>     -*\  __
 \ '/    <a href="http://www.PureFTPd.Org/";> Secure FTP Server </a>    \' /
  \/  <a href="http://www.Jedi.Claranet.Fr/";> Misc. free software </a>  \/


--------------------------------------------------------------------
mail2web - Check your email from the web at
http://mail2web.com/ .



--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to