Posted by Jochem Maas on 10/14/05 00:17

Graham Anderson wrote:
> How does a hacker get access to your scripts located outside the web
> folder?
> I asked a friend to hack my php script within the web folder...
>

er. why don't you *#@%*&#(%*&!@#^%(_*^#()% % er ask him.

>
> all of my crucial function were called by:
> require_once("/home/siren/includes/fonovisa.inc");
> the 'encrypt' functions are MCRYPT_RIJNDAEL_256
>
> He was able to get access to the 'fonovisa.inc' php script [outside
> the web folder] and all the stuff inside
> Based on my current knowledge, my security breaches are probably big
> enough to drive a truck through :(
>
>
> how can I prevent this ?

santize your input - make sure your webserver is secure.
don't give php files a .inc extension if you don't know what your doing.

your probably doing the equivelant of (although some what less obviously):

<?

echo get_file_contents( $_GET['anyfileyoulike'] );

• Next in forum: Re: [PHP] prevent user from getting scripts outside the web folder
• Prev in forum: Re: [PHP] prevent user from getting scripts outside the web folder
• Thread view: Re: [PHP] prevent user from getting scripts outside the web folder

[Reply to this message]