Tumblr's security problem exists in CI |
[eluser]Joakal[/eluser]
News: http://news.ycombinator.com/item?id=2343330 It's a minor vulnerability issue caused by human error even if the php file is outside of the www directory. To test it: have the var/www/index.php include var/code/config.php. If the PHP parser fails, only index.php code is shown without the included file. However, if the config.php has a simple typo in the config.php that means it doesn't become php parsed, then the configurations in php code are exposed. The CI fix to accidental configuration exposure is to pull arrays from ini files: http://www.php.net/manual/en/function.pa...i-file.php However, it will incur an overhead hit when reading the ini every time compared to being in opcode cache as a php file. It's suggested to cache the ini file (any other suggestions?). Notes: + Code should be tested before added live. But the issue is likely to arise again as in Tumblr's case; they updated a single PHP file to maintain their connection configurations. + PHP returns 200 on a fatal error. + Apache can store constant variables too. eg SetEnv DB_USER=kermit SetEnv DB_PASS=Shhh then call it: mysql_connect(getenv('DB_NAME'), getenv('DB_USER'), getenv('DB_PASS'))
[eluser]Joakal[/eluser]
Another suggested fix: ob_start(); include("config.php"); ob_end_clean(); http://au2.php.net/manual/en/function.ob-start.php It gets put into PHP overhead though rather than ignoring potential output.
[eluser]WanWizard[/eluser]
The best and only advice in this case: TEST YOUR CODE! Something stupid like this should have never gone live.
[eluser]InsiteFX[/eluser]
Also you should chmod your index.php file to 664 InsiteFX |
Welcome Guest, Not a member yet? Register Sign In |