The security hole is probably not existant in my opinion. PHP is (normaly) parsed by the remote server(no source viewable) and the result is being included, not the source. When "http://.../script.php?var=value"; was mentioned, it implies the script is being parsed remotedly so that the http request variables are being used within the script.
A test to confirm that, is to point the browser to the address being included. See the source? vulnerable. See the results? not vulnerable. HTH, Andrew > On Sun, 2004-02-08 at 04:14, PHP Email List wrote: >> Ok so on this topic, I do something similar to this with my scripts, and >> if >> my includes are vulnerable... I need to know how? >> >> I have tested this and the includes parse the information as it includes >> it, >> I can't see the code, so how is this possible where you say: > > Are you referring to including a file locally, or including a file from > a remote server via http? From what I understand this thread is about > including a php script from a different server over http. In this case > the php code will be viewable if you open it via a web browser. If you > know of a way to include a file remotely with php, but not browse to it, > please let me know. Presumably you could use apache to restrict access > to the file by ip, however that can still be subverted by a man in the > middle attack. I would be curious to see an example where this method > of including a file would be necessary. > > -- > Adam Bregenzer > [EMAIL PROTECTED] > http://adam.bregenzer.net/ > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
