As andrew has said there is no risk here. What you will see is the parsed output (if the webserver has PHP installed) If this is indeed a vulerability we can just add lines similar to
include("http://elsewhere.com/list.php";);
in our code and be able to easily view other peoples php scripts.
Andrew Séguin wrote:
The security hole is probably not existant in my opinion.
PHP is (normaly) parsed by the remote server(no source viewable) and the result is being included, not the source. When "http://.../script.php?var=value"; was mentioned, it implies the script is being parsed remotedly so that the http request variables are being used within the script.
A test to confirm that, is to point the browser to the address being included. See the source? vulnerable. See the results? not vulnerable.
HTH, Andrew
On Sun, 2004-02-08 at 04:14, PHP Email List wrote:
Ok so on this topic, I do something similar to this with my scripts, and if my includes are vulnerable... I need to know how?
I have tested this and the includes parse the information as it includes
-- Raditha Dissanayake. ------------------------------------------------------------------------ http://www.radinks.com/sftp/ | http://www.raditha.com/megaupload Lean and mean Secure FTP applet with | Mega Upload - PHP file uploader Graphical User Inteface. Just 150 KB | with progress bar.
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
