Page 1 of 1

including file a security risk?

Posted: Wed Jul 11, 2007 6:47 am
by anp24
Hello,
I am doing security audit of the PHP website which has the following first line of code containing file included in the / (root) directory of the website.

[b][syntax=php]<?php require ("config.php"); ?>[/syntax][/b]

The above file contains code to connect to MYSql Database.

When I try to open this file , the blank page is displayed.

I want to know , does including file this way, pose a security risk/ vulnerability? Do any one can change file or insert any malicious file using C99 shells.? If yes, then how ?

Thank you

Posted: Wed Jul 11, 2007 7:03 am
by feyd
If someone can alter the file being included, yes it could easily contain malicious code. Server security has to be fairly poor to allow such a thing typically, although poor scripts can allow it too.

If you're accessing this include via a browser, it should show a blank page, generally.

Posted: Wed Jul 11, 2007 7:06 am
by anp24
Hello,
If through any means I can see the contents of config.php file as it is showing a blank screen?. If update possible then Vulnerability is there

Thank you

Posted: Wed Jul 11, 2007 7:25 am
by feyd
PHP won't show you the contents unless the code is scripted to do so or PHP wouldn't parse the contents due to a file name issue. Either way, the vulnerability is most often the server, not the software, for this particular "problem."