On Tue, 2002-07-09 at 03:28, Andrew van der Stock wrote:
> Kevin,
>
> It is important to reinforce the lesson of "As long as the include file
> is not of a type that can be returned in plaintext to the server" bit of
> your mail. I see it all the time during my code reviews, and it's never
> a good thing.
<snip>
> If you rename 'blah.inc' to 'blah.asp', the source is processed by the
> ASP dll before being handed off to the requestor. There is no downside
> to this preferred behavior.

No downside as long as that processing happens. The downside occurs
when the latest IIS ISAPI processing exploit goes 0day and every kiddie
can retrieve that file plaintext. While I agree with you in theory, in
practice there are new exploits that cause IIS to do this every 6 months
like clockwork. IMNSHO, the place for sensitive config files is outside
the document root. A good directory layout would be:

 Web Stuff
  |
  |--Document Root
  |
   --Config Files

Setting your web server's document root to Document Root, you could set
options like PHP's open_basedir[1] to the Web Stuff directory, allowing
PHP to access the config files folder but not all the scary stuff above
it.

Cheers,
Ryan Fox

[1] http://www.php.net/manual/en/configuration.php#ini.open-basedir

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]