CodeIgniter Forums

Full Version: Tumblr's security problem exists in CI
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

El Forum


It's a minor vulnerability issue caused by human error even if the php file is outside of the www directory. To test it: have the var/www/index.php include var/code/config.php. If the PHP parser fails, only index.php code is shown without the included file. However, if the config.php has a simple typo in the config.php that means it doesn't become php parsed, then the configurations in php code are exposed.

The CI fix to accidental configuration exposure is to pull arrays from ini files:

However, it will incur an overhead hit when reading the ini every time compared to being in opcode cache as a php file. It's suggested to cache the ini file (any other suggestions?).


+ Code should be tested before added live. But the issue is likely to arise again as in Tumblr's case; they updated a single PHP file to maintain their connection configurations.
+ PHP returns 200 on a fatal error.
+ Apache can store constant variables too. eg SetEnv DB_USER=kermit SetEnv DB_PASS=Shhh then call it: mysql_connect(getenv('DB_NAME'), getenv('DB_USER'), getenv('DB_PASS'))

El Forum

Another suggested fix:


It gets put into PHP overhead though rather than ignoring potential output.

El Forum

The best and only advice in this case: TEST YOUR CODE!

Something stupid like this should have never gone live.

El Forum

Also you should chmod your index.php file to 664