On Tue, Aug 05, 2003 at 05:26:58PM +0000, Voytek Eymont wrote: > so, is there a need to have php's inc files outside the web server root ??
It wouldn't be my first choice of security fixes - but, in a poorly written application, it is possible that an exploit could be obtained by (for instance) a PHP script which had code executed at the top level which could be made to do naughty things by means of form variables. I'd be more worried about the app as a whole, though, in that instance, since if they're playing silly buggers in one place, they're probably doing it elsewhere, too. > am I wasting my time moving the inc files and modifying scripts ? > or, is it still a good idea ? It might give a slight additional piece of mind, but it certainly wouldn't be top on my list. Certainly, if all of the include files has (as they should) nothing but function and class definitions, there's *nothing* an attacker could do by grabbing these files directly - no code will actually be run. And if they get the source code (because the files don't have a .php extension), who cares - they could get the source from a regular download anyway (unless it's an internally written thing, which I'd hope would be properly secured anyway). - Matt -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
