Radicore Forum
Fast Uncompromising Discussions. FUDforum will get your users talking.
Home » RADICORE development » Framework » OWASP standards vs. Radicore Framework
Re: OWASP standards vs. Radicore Framework [message #121 is a reply to message #120] Thu, 29 June 2006 11:48 Go to previous messageGo to previous message
AJM is currently offline  AJM
Messages: 2367
Registered: April 2006
Location: Surrey, UK
Senior Member
I use the .inc extension to indicate that that a file can only be included and not executed in its own right. This is an important difference to most people.

I include in my installation instructions the means to tell Apache not to allow access to any files which end in the '.inc' extension.

Even if these instructions were to be ignored there should be no security issues as all the critical .inc files are held in a directory which is outside the web root and are therefore totally inaccessible even if Apache were to be mis-configured.

Those .inc files which are not outside the web root are in their own separate directories which could easily be password protected or set to be inaccessible via the web server.

The OWASP recommendation does not take these other options into account, so the "security hole" is not as bad as they would make out.

Tony Marston
http://www.tonymarston.net
http://www.radicore.org

Report message to a moderator

[Message index]
 
Read Message
Read Message
Read Message
Read Message
Previous Topic: metadata vs. business logic
Next Topic: Framework Version
Goto Forum:
  

[ Syndicate this forum (XML) ] [ RSS ] [ PDF ]

Current Time: Thu Nov 21 17:49:29 EST 2024

Total time taken to generate the page: 0.09093 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.1.3.
Copyright ©2001-2023 FUDforum Bulletin Board Software