There’s been a ton of speculation lately about whether the unintentional leaking of facebook code on their site constitutes a security threat and if the fact that the code was visible proves that the facebook servers are somehow less secure. Quite frankly I have to assume that those ministrations are being made by people who have never configured anything more complex that a netgear home router. any server, apache or IIS (Windows) can with the commenting out of a single line (Apache) or unchecking of a single box (IIS) show the source code of a page instead of compiling/rendering that page. It has no bearing whatsoever on the security of the code itself, and were it any other way would actually make the servers LESS secure by limiting what a person could set a server to run and what they could set it to run given code AS. So yeah, someone fat-fingered a configuration option, perhaps,
AddType text/plain .php4
or more dangerously
AddType application/x-httpd-php .png
That second one would let me run PHP scripts that could do all sorts of nefarious things if you were to request a .png graphics file from my server. as an example, check,
Your browser will be convinced it’s an image. If you save it you will AHVE an image, but it’s actually just a PHP script that dynamically creates the image on the fly. If I were to reconfigure the server to serve any .jpg files as php, you would never be able to tell it’s not an image. So by that rule EVERY web server is a security risk and should be shut down. right?
The original register link is:
http://www.theregister.com/2007/08/16/facebook_leak_google_dmca/
Entries (RSS)