#native_company# #native_desc#

.inc files – how secure are they?

By Adam R. Boalt (burnww.net)
on August 5, 2000

After recently browsing around PHP Builder and other similar sites – I have noticed an increase use in common.inc or global.inc files. This is a good common practice although it could lead to be a major security issues.

I first noticed this problem while browsing Microsoft’s site. (even though it is in asp – it works the same for php) Anyways, a server error had occurred and told me what line it occurred on and revealed some of the text where the error occurred near. This text happened to be a common.inc file revealing some critical information. If you take this file and append to your url – it reveals the source code.

An Include(.inc) file isn’t parsed by the server correctly unless configured by your administrator. This isn’t the case normally so the server will just try it like a .txt file.

There are a few different solutions to this security issue. You can configure your server to avoid this.(difficult solution and not possible for everyone) You can write a custom .htaccess file. Or the best solution is to use a common.htm file. As long as you have your open/close(<? ?>) tags the server won’t reveal the source code. It works just the same!

Hope this helps!

Adam Boalt
BURN World-Wide, Ltd. (burnww.net)