Ok a couple of questions. I have include files that someone else is including from there server and he is unable to view the source code that he is utilizing in an include script. Of course this is running Apache and Unix with PHP 4.3.4.
SO my questions are. 1> Are you testing or referring to this on a Windows server running IIS/Apache? 2> Are you referring to an older version of PHP? 3> Have you even tested what your saying? I am going to be running some more tests, but so far all of the testing that I have done running a http request is parsing the include files. I have even checked a broswser based ftp request and nothing shows for the php file. I'd be interested in hearing about you testing one of these ideas you have and posting a link so that we can see what you are talking about is actually working. -----Original Message----- From: Adam Bregenzer [mailto:[EMAIL PROTECTED] Sent: Sunday, February 08, 2004 11:49 AM To: Andrew Séguin Cc: PHP Email List; [EMAIL PROTECTED] Subject: Re: [PHP] Revised: RE: [PHP] Re: Can I do this? On Sun, 2004-02-08 at 08:27, Andrew Séguin wrote: > A test to confirm that, is to point the browser to the address being > included. See the source? vulnerable. See the results? not vulnerable. If you do not see 'source' then what are you including? For example the following script could be included remotely: <?php echo <<EOF <?php \$sql = "SELECT * FROM table WHERE id = $number"; ?> EOF; ?> If you were able to do include the above source with: include("http://somewhere.com/file.php?number=123";); You could include and see php code. Not the original but something that is still useful. include() includes php code, if you can include a file from a remote source you can view it with a browser. What you say is true: "See the source? vulnerable. See the results? not vulnerable." Of course if you can not see it you also can not include it remotely. As a side note it is safer to put includes outside the web path. An overflow or some other bug may be found that would bypass processing of .php files (or a different bug could be exploited to write a .htaccess file in that directory). If you have the option to move includes to a different directory it is more secure. -- Adam Bregenzer [EMAIL PROTECTED] http://adam.bregenzer.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
