On Sunday 30 June 2002 09:52, Justin French wrote:
> on 29/06/02 3:20 AM, Tamas Arpad ([EMAIL PROTECTED]) wrote:
> >> I was thinking if you use 90 character long filenames, assuming you
> >> only use the letters of the alphabet and the digits then you would
> >> have 62^90 different filenames, which is roughly 2E161 (2 followed by
> >> 161 zeros), which is quite a bit. Hopefully the numbers involved
> >> would make it infeasible for an attacker to loop through all the
> >> permutations.
> >
> > But what if the attacker just knows one file's name, for example
> > index.php or something that's in the url in the browser. Then he/she
> > can stole that file, read it, and gets other filenames because of
> > includes/requires. With some work he/she can get all the files without
> > any bruteforce filename guessing.
>
[...]
> If you adopt some of the practices (I think) included earlier in this
> thread by me, you could restrict browser access to your inc files by the
> use of smart file naming, dedicated directories and .htaccess files,
> then this should cover the basics of people grabbing your included files
> (with passwords etc) via http (browser).
>
> It doesn't cover people within the server (others on a shared server,
> etc) though.
Yes, but I think we were talking about the latter, when users have shell
access on a shared server. Preventing from getting the php source through
the web server is relatively easy, there are really a dozen of ways.
Arpi
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
