[SAC] Re: Subject: [Technical Problem] can't register on trac
Frank Warmerdam
warmerdam at pobox.com
Tue Apr 10 12:35:33 EDT 2012
On Tue, Apr 10, 2012 at 9:19 AM, Martin Spott <Martin.Spott at mgras.net> wrote:
> As far as I can tell, the most common way to retrieve purportedly
> hidden information is to trick the web server into a specific error
> which exposes the content of the failing script (as debug output).
> Both storing the credentials either in a separate file or in the
> environment could help against this sort of attacks.
> Aside from that, PHP is quite popular for exposing security holes
> allowing to feed arbitrary (PHP) commands to be executed in the context
> of the web server. Thus you're always better off storing sensitive
> information outside the web server's document root and thus outside the
> reach of the built-in PHP interpreter.
Martin,
OK - while this doesn't sound compelling, I can see moving the value
into a file outside the document root would mitigate some risk. I'll do
it today.
Best regards,
--
---------------------------------------+--------------------------------------
I set the clouds in motion - turn up | Frank Warmerdam, warmerdam at pobox.com
light and sound - activate the windows | http://pobox.com/~warmerdam
and watch the world go round - Rush | Geospatial Software Developer
More information about the Sac
mailing list