-
Notifications
You must be signed in to change notification settings - Fork 13
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
dirbusting or .htaccess? #52
Comments
Set up selfauth and try loading your config.php file in a browser. You should get a zero-length response from the web server because all it does is set four variables. It doesn't actually output anything. |
best practice PHP nowadays is that you should keep your configs / .envs one directory above the public one, just in case your web server interprets it as a static file. I'm aware that if PHP interprets it it'll be blank. If someone's server is set up wrong, it'll leak the config. it's not best practice php to leave it in the same folder. |
True. However, if somebody's server is set up wrong, selfauth won't work at all because index.php will get displayed to the user also. Not trying to refute your point (you're right), just making an observation after testing yesterday. |
yup definitely seen where somebody has a working PHP setup but they also have a second HTTP server (or a second server directive) that can see the same directory. |
What prevents someone from misconfiguring apache such that /config.php is browsable?
e.g. shouldn't there be a mention of setting up .htaccess?
The text was updated successfully, but these errors were encountered: