jskrauss

I'm givving this a shot... I think it may just be a vista thing because now http://localhost wont even come up. I stopped and restarted services...

the file is a simple <? echo "hello" ; >? It does not show on the screen

[Thu Jun 28 10:15:13 2007] [notice] Parent: Created child process 6056 [Thu Jun 28 10:15:14 2007] [notice] Child 6056: Child process is running [Thu Jun 28 10:15:14 2007] [notice] Child 6056: Acquired the start mutex. [Thu Jun 28 10:15:14 2007] [notice] Child 6056: Starting 250 worker threads. [Thu Jun 28 10:15:14 2007] [notice] Child 6056: Starting thread to listen on port 80. [Thu Jun 28 10:17:06 2007] [error] [client 127.0.0.1] script 'C:/Program Files/Apache Software Foundation/Apache2.2/htdocs/test.php' not found or unable to stat

I installed apache on my local machine. In order to getit o install I had to disable user control. I got it running and verified the install. I then installed PHP. I eddited the php.ini file and added the doc_root command. I also added a few lines to the httpd fle ScriptAlias /PHP "C:/PHP" AddType application/x-httpd-php .php Action application/x-httpd-php "/php/php-cgi.exe" I cant get a very simple test file to execute. Any ideas? Full .ini and conf files attached in single document seperated by file name php.ini [attachment deleted by admin]

No error on the page! I should have caught that myself! Thanks. I will rerun the security test!

I replaced my file with the suggested content and wound up with the following (directory structure altered for security purposes in this post) : Ford Focus Warning: file_get_contents(../includes/p) [function.file-get-contents]: failed to open stream: No such file or directory in /removed/removed/public_html/_php/include.php on line 15

We have a simpel PHP script that is designed to only include the body portion of a page when doing a server side include. The dilema is it is failing our security audit to to an xss issue. <?php function StripBody($content){ preg_match('%<body.*>(.*)</body>%is', $content, $matches); $matches=$matches[0]; $matches=preg_replace('%<.*body.*>%i','',$matches); //$matches=str_replace(array("\n","\t","\r"," "),"",$matches); $matches=str_replace(array("../"),"",$matches); $matches=trim($matches); return $matches; } if(file_exists("../includes/$_REQUEST[p]")){ $inp=file_get_contents("../includes/$_REQUEST[p]"); echo "<!-- include $_REQUEST[p] BEGIN -->\n"; if($_REQUEST['lb']==1){ echo '<a href="#" class="lbAction" rel="deactivate">Close</a>'; } echo StripBody($inp); if($_REQUEST['lb']==1){ echo '<a href="#" class="lbAction" rel="deactivate">Close</a>'; } echo "\n<!-- include $_REQUEST[p] END-->\n"; }else{ echo '[<i>' . $_REQUEST['p'] . '</i>]'; } ?> The problem according to the security audit is a hacker could in theory add ?p=<script>alert(document.cookie)</script><iframe%20width=800%20height=600%20src=http://www.intrudersdomainname.com></iframe>&lb=1 to the URL and have their content displayed on our page or run other scripts. The issue is stripping that information out of the value for p Ive tried strip_tags but since p is defined as a constant it does not work.