Dear all, One more measure thing to stop getting the source code with .inc is to deny the files which has "inc" extension in Apache httpd.conf itself with "DIRECTORY" configuration.
with regards, Sukumar .S On Thu, 17 Jan 2002, Radu Filip wrote: > Date: Thu, 17 Jan 2002 02:10:01 +0200 (EET) > From: Radu Filip <[EMAIL PROTECTED]> > To: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> > Cc: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> > Subject: Re: [PHP] PHP Security - "view source code" > > On Thu, 17 Jan 2002, [EMAIL PROTECTED] wrote: > > > I've seen a number of sites for example that didn't have the .inc extension >registered, > > include() doesn't care about that, but if your includes are under the document >root of your > > website (that happens a lot too, i don't know why ?) and you specify the exact >name of > > the include in your browser (or worse, the directory is browsable from the web), >the webserver > > will default to text/plain content and display the source. Bad thing since >includes usually contain > > passwords and stuff. > > I agree with this, since I saw such mistakes wit my own eyes. IMHO, the > best way to avoid this kind of problems is to: > > (1) avoid using .inc files; use .php files like for normal script > (2) turn Indexes directive to off by default per website > (3) make directories 711 instead of 755 > (4) develop an organized php scripts structure outside DocumentRoot and > place the files that you will eventually include in an "include" > sudirectory within that structure > (5) review changes all the time, check your weblogs and be vigillent :-) > > Ave, > Socrate > > -- > Radu Filip > Network Administrator @ Technical University of Iasi > [EMAIL PROTECTED] Information Technology and Communication Center > http://socrate.tuiasi.ro/ [EMAIL PROTECTED] | http://ccti.tuiasi.ro/ > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > To contact the list administrators, e-mail: [EMAIL PROTECTED] > ---------------------------------------------------------------------- A real friend is one who walks in when the rest of the world walks out ---------------------------------------------------------------------- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
