phpesp-devel

[phpesp-dev] Rename phpESP.ini?

[Matthew G. <gr...@mu...>]

While thinking about installation scripts....
I must have overlooked something, but why not rename phpESP.ini to
something like config.php?

If someone mistakenly installs it in a web accessible directory,
the web server will attempt to execute it instead of plastering sensitive
information to the browser.

I tried it, seems to work.  It gives you a nice blank page if you
access
http://yourhost.com/phpESP/admin/config.php

Can't be this easy.

-- 
brought to you by, Matthew Gregg...
one of the friendly folks in the IT Lab.
--------------------------------------\
The IT Lab (http://www.itlab.musc.edu) \____________________
Probably the world's premier software development center.
Serving: Programming, Tools, Ice Cream, Seminars

Re: [phpesp-dev] Rename phpESP.ini?

[Lou S. <lr...@at...>]

Yup.   This a very serious security breach.

All files which contain php code should have the php
extension unless one has explicitly defined those
excluded extensions in web server configuration files.

That's in one of my other messages or
it could have been posted to a feature request I made today.

All php related scripts should have a "PHP" extension, which
means all .inc or .ini must be renamed to either *.inc.php *.ini.php or
just
*.php.


Lou.

----- Original Message -----
From: "Matthew Gregg" <gr...@mu...>
To: <php...@li...>
Sent: Saturday, March 30, 2002 2:57 PM
Subject: [phpesp-dev] Rename phpESP.ini?


> While thinking about installation scripts....
> I must have overlooked something, but why not rename phpESP.ini to
> something like config.php?
>
> If someone mistakenly installs it in a web accessible directory,
> the web server will attempt to execute it instead of plastering
sensitive
> information to the browser.
>
> I tried it, seems to work.  It gives you a nice blank page if you
> access
> http://yourhost.com/phpESP/admin/config.php
>
> Can't be this easy.
>
> --
> brought to you by, Matthew Gregg...
> one of the friendly folks in the IT Lab.
> --------------------------------------\
> The IT Lab (http://www.itlab.musc.edu) \____________________
> Probably the world's premier software development center.
> Serving: Programming, Tools, Ice Cream, Seminars
>
>
> _______________________________________________
> phpESP-devel mailing list
> php...@li...
> https://lists.sourceforge.net/lists/listinfo/phpesp-devel
>

Re: [phpesp-dev] Rename phpESP.ini?

[James E. F. <jf...@ac...>]

Yes, though I don't like renaming files (CVS doesn't handle
it gracefully). I also really think that it is best for the
package to be installed outside of a public directory. It
is certainly an option to rename files, and perhaps it will
happen soon.

-James

On Sat, 30 Mar 2002, Lou Spironello wrote:

> Yup.   This a very serious security breach.
>
> All files which contain php code should have the php
> extension unless one has explicitly defined those
> excluded extensions in web server configuration files.
>
> That's in one of my other messages or
> it could have been posted to a feature request I made today.
>
> All php related scripts should have a "PHP" extension,
> which means all .inc or .ini must be renamed to either
> *.inc.php *.ini.php or just *.php.
>
>
> Lou.
>
> ----- Original Message -----
> From: "Matthew Gregg" <gr...@mu...>
> To: <php...@li...>
> Sent: Saturday, March 30, 2002 2:57 PM
> Subject: [phpesp-dev] Rename phpESP.ini?
>
>
> > While thinking about installation scripts....
> > I must have overlooked something, but why not rename phpESP.ini to
> > something like config.php?
> >
> > If someone mistakenly installs it in a web accessible directory,
> > the web server will attempt to execute it instead of plastering
> sensitive
> > information to the browser.
> >
> > I tried it, seems to work.  It gives you a nice blank page if you
> > access
> > http://yourhost.com/phpESP/admin/config.php
> >
> > Can't be this easy.