|
|
Re: PHP-Survey Database Access Vulnerability: msg#00394security.bugtraq
From: "MOD" <br014c1155@xxxxxxxxxxxxxxxx> > PHP-Survey is an online survey creation and management system written in > PHP. It uses a MySQL database on backend for all data handling. > Global.inc holds the database information, and settings for the survey's > interface. Global.inc on default settings is not interpreted by PHP hence > any user can make an HTTP request for global.inc and will be able to view > the source code, hence the database password, username, localhost is > revealed, and also superuser information for the administration of the poll > survey. A solution might be to rename global.inc to global.inc.php. A better advice would probably be to make .inc files inaccessible for webbrowsers. This is generally a good idea, as to the best of my knowledge no web app ever sends .inc files for anything. On Apache, this could be done with something like this: <Files *.inc> Order allow,deny Deny from all </Files> Jens Knoell |
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| Previous by Date: | PHP-Survey Database Access Vulnerability: 00394, MOD |
|---|---|
| Next by Date: | Fragroute-NetworkICE follow-up: 00394, Chris Deibler |
| Previous by Thread: | PHP-Survey Database Access Vulnerabilityi: 00394, MOD |
| Next by Thread: | Fragroute-NetworkICE follow-up: 00394, Chris Deibler |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
| News | FAQ | advertise |