Imagine the following PHP file:
想象一下下面的PHP文件:
<?php
$topSecret = "Something important";
?>
If I put this on a server running the standard LAMP setup, how could someone could find out $topSecret?
如果我把它放在运行标准LAMP设置的服务器上,怎么会有人发现$topSecret呢?
If the variable is not echoed, is it vulnerable? A real application of this might be database credentials stored in the web root of a server.
如果变量没有回显,那么它是否脆弱?实际应用程序可能是存储在服务器web根中的数据库凭据。
2 个解决方案
#1
13
If PHP were to fail somhow, then the page would be displayed as a plaint text file. That has happened before; it once happened to Facebook. To protect against this you should store all sensitive variables (passwords, etc) in a php file which is not in the web root. You could store it in the parent folder (if you have access to it) or in a subfolder which is protected by apache (deny all).
如果PHP失败了,那么该页面将显示为一个损坏的文本文件。这在以前也发生过;它曾经在Facebook上发生过。为了防止这种情况,您应该将所有敏感变量(密码等)存储在php文件中,而不是在web root中。您可以将它存储在父文件夹(如果有访问权限的话)或apache保护的子文件夹(deny all)中。
#2
6
Under normal circumstances, it would not be possible to view that.
在正常情况下,这是不可能的。
But errors in configuration, or exploits in code could make it possible to view the contents of the files.
但是配置中的错误或代码中的漏洞可能使查看文件内容成为可能。
Normally, one would place such information outside of the webroot, to decrease the chance such a thing happens.
通常,人们会把这些信息放在webroot之外,以减少发生这种事情的机会。
#1
13
If PHP were to fail somhow, then the page would be displayed as a plaint text file. That has happened before; it once happened to Facebook. To protect against this you should store all sensitive variables (passwords, etc) in a php file which is not in the web root. You could store it in the parent folder (if you have access to it) or in a subfolder which is protected by apache (deny all).
如果PHP失败了,那么该页面将显示为一个损坏的文本文件。这在以前也发生过;它曾经在Facebook上发生过。为了防止这种情况,您应该将所有敏感变量(密码等)存储在php文件中,而不是在web root中。您可以将它存储在父文件夹(如果有访问权限的话)或apache保护的子文件夹(deny all)中。
#2
6
Under normal circumstances, it would not be possible to view that.
在正常情况下,这是不可能的。
But errors in configuration, or exploits in code could make it possible to view the contents of the files.
但是配置中的错误或代码中的漏洞可能使查看文件内容成为可能。
Normally, one would place such information outside of the webroot, to decrease the chance such a thing happens.
通常,人们会把这些信息放在webroot之外,以减少发生这种事情的机会。