[Pmwiki-users] more thoughts on .htaccess

Patrick R. Michaud pmichaud
Tue Dec 7 09:04:01 CST 2004


On Tue, Dec 07, 2004 at 10:27:55AM -0500, Neil Herber wrote:
> * /pmwiki/local/config.php  ---  produces an html page whose entire 
> contents are "<html><body></body></html>"
> 
> Given this result, what is the risk posed by having the server "execute" 
> /pmwiki/local/config.php?

In general, there's not a whole lot of risk.  Most configuration files
simply set values for variables and perhaps include a few other scripts,
and this isn't going to cause a problem.  But if a configuration file
starts manipulating files or making calls to the operating system or
includes another script that does that, then there's more risk but
still not a lot.  It depends on what's being done in the configuration
file, PHP's settings for things like register_globals, etc.

And any risk from the configuration files that might exist can be 
virtually eliminated by making sure the beginning of the file reads...

   <?php if (!defined('PmWiki')) exit();

All PmWiki scripts have this, as well as any cookbook scripts that I
write/publish.  But even without these lines, the risk is quite small
for normal installations (with or without the .htaccess).

Pm



More information about the pmwiki-users mailing list