including file a security risk?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
anp24
Forum Newbie
Posts: 13
Joined: Wed Jul 11, 2007 6:34 am

including file a security risk?

Post by anp24 »

Hello,
I am doing security audit of the PHP website which has the following first line of code containing file included in the / (root) directory of the website.

[b][syntax=php]<?php require ("config.php"); ?>[/syntax][/b]

The above file contains code to connect to MYSql Database.

When I try to open this file , the blank page is displayed.

I want to know , does including file this way, pose a security risk/ vulnerability? Do any one can change file or insert any malicious file using C99 shells.? If yes, then how ?

Thank you
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

If someone can alter the file being included, yes it could easily contain malicious code. Server security has to be fairly poor to allow such a thing typically, although poor scripts can allow it too.

If you're accessing this include via a browser, it should show a blank page, generally.
anp24
Forum Newbie
Posts: 13
Joined: Wed Jul 11, 2007 6:34 am

Post by anp24 »

Hello,
If through any means I can see the contents of config.php file as it is showing a blank screen?. If update possible then Vulnerability is there

Thank you
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

PHP won't show you the contents unless the code is scripted to do so or PHP wouldn't parse the contents due to a file name issue. Either way, the vulnerability is most often the server, not the software, for this particular "problem."
Post Reply