NYCPHP Meetup

[nycphp-talk] FUNDAMENTALS #1: Site Structure

jon baer jonbaer at jonbaer.net
Thu Sep 4 11:20:33 EDT 2003


i find it kinda odd that the only advise suggested on the topic in Security
Focus's "Securing PHP" is to simply make the includes + classes w/ the same
mime-type as a php app:

http://www.securityfocus.com/infocus/1706

-snip-
AddModule mod_php4.c
AddType application/x-httpd-php .php
AddType application/x-httpd-php .inc
AddType application/x-httpd-php .class


It is worth to note that besides "*.php", two extensions have been added as
PHP scripts: "*.inc" and "*.class". Programmers often include additional
files, with an extension like "*.inc", "*.class" or similar. Because by
default those extensions are treated as regular files, the requests to
download them will reveal the source code comprised in them. This can lead
to revealing passwords or other sensitive information.

-snip-

- jon

pgp key: http://www.jonbaer.net/jonbaer.asc
fingerprint: F438 A47E C45E 8B27 F68C 1F9B 41DB DB8B 9A0C AF47




More information about the talk mailing list