PHP Include Function? Security Risk?

The 2.0.x discussion forum has been locked; this will remain read-only. The 3.0.x discussion forum has been renamed phpBB Discussion.
Locked
User avatar
Noobarmy
Registered User
Posts: 2388
Joined: Tue Apr 04, 2006 6:15 pm
Location: London
Contact:

PHP Include Function? Security Risk?

Post by Noobarmy »

Well seeing as this theoretically should be a discussion area i was wondering. does noone find the include function in php a security risk (BTW i thought its more of a phpBB thing so kept it here rather then general discussion sorry if i thought wrong. lol) especially where phpBB forum DBs are concerned.

Because as phpBB is completely open-source(which is probably a good thing, i aint sayin it aint) all the layouts are the same. So a hacker could setup a forum. then on their config file. just replace all the data there with an INCLUDE function of someone else's config file. which could easily be found in the root folder. then with that they could play about with the Database, is this true?

its rather strange but an interesting topic as to why the include function can include a file anywhere on the internet.

hmm..
Image
Hynee
Registered User
Posts: 21
Joined: Sat Dec 25, 2004 6:58 am

Post by Hynee »

It won't work on another server, if you include 'http://yourserver.com/forum/config.php'; it will either simply be denied or produce blank output, because all that file does is set up some variables. On shared hosting, it can be a risk, but usually there are water-tight security restrictions between different sites on the same host.

People do worry about PHP errors for this reason, because they reveal the server path to software installations.
User avatar
Noobarmy
Registered User
Posts: 2388
Joined: Tue Apr 04, 2006 6:15 pm
Location: London
Contact:

Post by Noobarmy »

hmm i c. i neva actualy trested outside my own server. lol. ok then interesting to know.
Image
User avatar
karlsemple
Former Team Member
Posts: 39802
Joined: Mon Nov 01, 2004 8:54 am
Location: Hereford, UK
Contact:

Post by karlsemple »

you should either get a blank page, the white page that just says "hacking attempt"
Image
Locked

Return to “2.0.x Discussion”