Published January 16th, 2003 by Jim O'Halloran
One More Vulnerability for the Top 10
Scott Johnson adds one more to the top 10 list I linked to previously:
Installing Open Source applications on the quick. You know the drill — you grab some code, install it and then poof! The client is running it and is happy so you kinda ignore it. And you don’t realize that the default installation leaves the password in the clear! Think I’m kidding? For example a lot of php applications use .inc for include files as their extension so config.inc is viewable by anyone who knows it exists.
This is actually a good point. One thing I’ve been doing in my PHP code is giving my config files a .php extension. That way if someone requests my config file, the PHP parser will get a chance to read it, and return an empty page. A the source of an .inc file will simply be returned to the browser, leading to compromise of database user names, passwords, etc which might be stored in the config file.