on 29/06/02 3:20 AM, Tamas Arpad ([EMAIL PROTECTED]) wrote:
>> I was thinking if you use 90 character long filenames, assuming you only
>> use the letters of the alphabet and the digits then you would have 62^90
>> different filenames, which is roughly 2E161 (2 followed by 161 zeros),
>> which is quite a bit. Hopefully the numbers involved would make it
>> infeasible for an attacker to loop through all the permutations.
>
> But what if the attacker just knows one file's name, for example index.php
> or something that's in the url in the browser. Then he/she can stole that
> file, read it, and gets other filenames because of includes/requires.
> With some work he/she can get all the files without any bruteforce
> filename guessing.
Well if a php file is parsed to the server, then they can't determine what
the orginal included fiels were at all, unless you're dumb enuff to do this:
<!-- include /inc/secret/passwords.inc -->
<?
include('/inc/secret/passwords.inc');
?>
:)
If you adopt some of the practices (I think) included earlier in this thread
by me, you could restrict browser access to your inc files by the use of
smart file naming, dedicated directories and .htaccess files, then this
should cover the basics of people grabbing your included files (with
passwords etc) via http (browser).
It doesn't cover people within the server (others on a shared server, etc)
though.
Justin French
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
