Article 4143 at 06/02/22 00:03:21 From: muisnetw (at mark) xs4all.nl Subject: [coba-e:04143] security-alert: Preview site

Index: [Article Count Order] [Thread]

Date:  Tue, 21 Feb 2006 15:58:10 +0100
From:  Maurice de Laat <muisnetw (at mark) xs4all.nl>
Subject:  [coba-e:04143] security-alert: Preview site
To:  coba-e (at mark) bluequartz.org
Message-Id:  <20060221145810.GA13638 (at mark) xs4all.nl>
X-Mail-Count: 04143

Hi,

When creating a virtual site on BQ, one can enable 'Preview Site 
Configuration', which basicly allows one to preview the site on the 
address http://ServerName/VsiteName

This settings allows to view php code.

If one puts in php scripts on the new virtual site, and access them by 
using the preview-url, the clear php code (including passwords entered in 
them) show up in a browser! Even if php is enabled on the main site.

Does anybody knows a way to close this hole?

Thank you
-- 
Maurice de Laat