[SOLVED] Security of $_SERVER['DOCUMENT_ROOT'] value

[xtopolis]

Hi,

To solve an include(really: require) problem I was having [include within an include], I defined a constant DOCROOT to be $_SERVER['DOCUMENT_ROOT'].'/folder.

<?php
DEFINE('DOCROOT',$_SERVER['DOCUMENT_ROOT'].'/folder/');
?>

 

For my hosted webserver, this gives me a value of:

"/kunden/homepages/35/d181803461/htdocs/folder/"

 

The reason I chose DOCUMENT_ROOT over putting the url of the domain is because my host does not allow fopen for urls, and the includes fail.

 

So my question is, are there any security issues with people viewing the source seeing the directory structure like that?  Neither the 35 nor d181... are relevant #s to my account or anything that I would use to login, fyi.  Should I change how I do includes, or will this be fine?

 

[FYI, my include problem was from including within an include using '../' hierarchy that changed when I tried to do the same from a different folder on the same level.  I can address this separately if needed.]

[xtopolis]

bump

[awpti]

No, there are no security issues with the _SERVER superglobal

[discomatt]

No, there are no security issues with the _SERVER superglobal

 

Not true. See here

http://seancoates.com/xss-woes

 

That being said, DOCUMENT_ROOT is defined entirely server side, and it is not vulnerable to browser-based attacks.

[xtopolis]

Alright, I'll take it that showing the document structure as I posted is fine, and that my $_SERVER['DOCUMENT_ROOT'] var is safe.

 

That is an interesting article, albeit from 2005.  Wonder if it still works...

 

Also, aside from the server being hacked, which then of course the website would be compromised, I will assume DOCUMENT_ROOT cannot be modified.

[discomatt]

Not without actually changing the directive in Apache or *insert your web server here*

 

And yes, it still works.