{"id":256,"date":"2011-12-10T17:46:15","date_gmt":"2011-12-10T22:46:15","guid":{"rendered":"http:\/\/littlesvr.ca\/grumble\/?p=256"},"modified":"2012-12-05T00:53:05","modified_gmt":"2012-12-05T05:53:05","slug":"looking-at-inc-files-on-an-apache-server","status":"publish","type":"post","link":"http:\/\/littlesvr.ca\/grumble\/2011\/12\/10\/looking-at-inc-files-on-an-apache-server\/","title":{"rendered":"Looking at .inc files on an Apache server"},"content":{"rendered":"<p>Ever since I learned how CGI works (a couple of lifetimes ago) I was bothered by the fact that the source code is accessible by the web server, and by extension &#8211; by anyone on the internet.<\/p>\n<p>If your CGI module is properly loaded and configured then Apache will execute the files rather than display them, <strong>but<\/strong> if there is a problem loading your module then Apache will stupidly display the contents of your source code in the web browser.<\/p>\n<p>This is a real problem because the source code usually includes credentials for your database and who knows what else.<\/p>\n<p>With PHP it got a little better when it became almost completely integrated into Apache and it was very challenging to break PHP without breaking Apache too.<\/p>\n<p>Today I thought &#8211; wait a minute. My php will interpret .php files, but what about all those .inc files? They are PHP yeah but with a different extension. Sure enough I looked at ostd\/parsePoFile.inc in Firefox and the whole source is dumped right out.<\/p>\n<p>It was an easy enough fix, adding a Files section to my httpd.conf, but come on guys! How hard would it have been to add .inc files to the default config? .ht* is there. Lame.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Ever since I learned how CGI works (a couple of lifetimes ago) I was bothered by the fact that the source code is accessible by the web server, and by extension &#8211; by anyone on the internet. If your CGI module is properly loaded and configured then Apache will execute the files rather than display &hellip; <\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,5,4],"tags":[],"class_list":{"0":"entry","1":"post","2":"publish","3":"author-andrew","4":"post-256","6":"format-standard","7":"category-opensource","8":"category-ostd","9":"category-safeforseneca"},"_links":{"self":[{"href":"http:\/\/littlesvr.ca\/grumble\/wp-json\/wp\/v2\/posts\/256","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/littlesvr.ca\/grumble\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/littlesvr.ca\/grumble\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/littlesvr.ca\/grumble\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"http:\/\/littlesvr.ca\/grumble\/wp-json\/wp\/v2\/comments?post=256"}],"version-history":[{"count":4,"href":"http:\/\/littlesvr.ca\/grumble\/wp-json\/wp\/v2\/posts\/256\/revisions"}],"predecessor-version":[{"id":607,"href":"http:\/\/littlesvr.ca\/grumble\/wp-json\/wp\/v2\/posts\/256\/revisions\/607"}],"wp:attachment":[{"href":"http:\/\/littlesvr.ca\/grumble\/wp-json\/wp\/v2\/media?parent=256"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/littlesvr.ca\/grumble\/wp-json\/wp\/v2\/categories?post=256"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/littlesvr.ca\/grumble\/wp-json\/wp\/v2\/tags?post=256"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}