[Pmwiki-users] more thoughts on .htaccess
Patrick R. Michaud
Tue Dec 7 09:04:01 CST 2004
On Tue, Dec 07, 2004 at 10:27:55AM -0500, Neil Herber wrote:
> * /pmwiki/local/config.php --- produces an html page whose entire
> contents are "<html><body></body></html>"
> Given this result, what is the risk posed by having the server "execute"
In general, there's not a whole lot of risk. Most configuration files
simply set values for variables and perhaps include a few other scripts,
and this isn't going to cause a problem. But if a configuration file
starts manipulating files or making calls to the operating system or
includes another script that does that, then there's more risk but
still not a lot. It depends on what's being done in the configuration
file, PHP's settings for things like register_globals, etc.
And any risk from the configuration files that might exist can be
virtually eliminated by making sure the beginning of the file reads...
<?php if (!defined('PmWiki')) exit();
All PmWiki scripts have this, as well as any cookbook scripts that I
write/publish. But even without these lines, the risk is quite small
for normal installations (with or without the .htaccess).
More information about the pmwiki-users