Re: DotClear Full Path Disclosure Vulnerability

To: Gmail account <god.ate.my.homework@xxxxxxxxx>
Subject: Re: DotClear Full Path Disclosure Vulnerability
From: Raphaël HUCK <raphael.huck@xxxxxxx>
Date: Tue, 13 Feb 2007 22:39:04 +0100
Cc: Cedric Blancher <blancher@xxxxxxxxxxxxxxxxxx>, bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <45D209FC.2090206@xxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <20070211232018.7799.qmail@xxxxxxxxxxxxxxxxx> <1171315726.4771.15.camel@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> <45D0E15A.5000201@xxxxxxx> <1171345651.4771.20.camel@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> <45D169EA.5080508@xxxxxxx> <1171357839.28815.43.camel@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> <45D209FC.2090206@xxxxxxxxx>
User-agent: Thunderbird 1.5.0.9 (Windows/20061207)

Of course, there are multiple ways to secure software after their setup,provided you know a minimum about computer security.

But I think many people just do the default setup the easy way via thesetup wizard.

That's why I believe the developers should take great care securingtheir software by default.

Well the ideal situation for incuding files is when your root is notyout webroot.But if you dont have this you can make a workaround by placing every phpfile that is not directy called (but included) into a folder and placein it an .htaccess file with a deny from all command so it would not beaccesible from anyone through a browser.

References:
- DotClear Full Path Disclosure Vulnerability
  - From: raphael . huck
- Re: DotClear Full Path Disclosure Vulnerability
  - From: Cedric Blancher
- Re: DotClear Full Path Disclosure Vulnerability
  - From: Raphaël HUCK
- Re: DotClear Full Path Disclosure Vulnerability
  - From: Cedric Blancher
- Re: DotClear Full Path Disclosure Vulnerability
  - From: Raphaël HUCK
- Re: DotClear Full Path Disclosure Vulnerability
  - From: Cedric Blancher
- Re: DotClear Full Path Disclosure Vulnerability
  - From: Gmail account

Prev by Date: Argument injection issues
Next by Date: Apache Multiple Injection Vulnerabilities
Previous by thread: Re: DotClear Full Path Disclosure Vulnerability
Next by thread: Re: DotClear Full Path Disclosure Vulnerability
Index(es):
- Date
- Thread