Adam Bregenzer wrote:
On Sun, 2004-02-08 at 08:27, Andrew Séguin wrote:
A test to confirm that, is to point the browser to the address being
included. See the source? vulnerable. See the results? not vulnerable.
If you do not see 'source' then what are you including? For example the following script could be included remotely:
<?php echo <<EOF <?php \$sql = "SELECT * FROM table WHERE id = $number"; ?> EOF; ?>
If you were able to do include the above source with: include("http://somewhere.com/file.php?number=123";); You could include and see php code. Not the original but something that is still useful. include() includes php code, if you can include a file from a remote source you can view it with a browser. What you say is true: "See the source? vulnerable. See the results? not vulnerable." Of course if you can not see it you also can not include it remotely.
As a side note it is safer to put includes outside the web path. An overflow or some other bug may be found that would bypass processing of .php files (or a different bug could be exploited to write a .htaccess file in that directory). If you have the option to move includes to a different directory it is more secure.
-- Raditha Dissanayake. ------------------------------------------------------------------------ http://www.radinks.com/sftp/ | http://www.raditha.com/megaupload Lean and mean Secure FTP applet with | Mega Upload - PHP file uploader Graphical User Inteface. Just 150 KB | with progress bar.
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
