Re: [Full-disclosure] How to protect RFI ??
- From: "Jamie Riden" <jamie.riden@xxxxxxxxx>
- Date: Sat, 26 May 2007 22:16:12 +0100
On 26/05/07, Mark Sec <mark.sec@xxxxxxxxx> wrote:
does any1 how to protect about RFI (Remote file inclusion), and what i need
to see over php files ?
-mark
Briefly:
1. Secure your php install - turn off allow_url_fopen and
allow_url_include in php.ini
2. Make sure your PHP app is not vulnerable - an attacker shouldn't be
able to control what's included. This should protect you from local
file inclusion as well.
3. Use suhosin and/or mod_security
4. (maybe) configure your firewall to disallow outbound connections
initiated by the webserver
cheers,
Jamie
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
- Follow-Ups:
- Re: [Full-disclosure] How to protect RFI ??
- From: Mark Sec
- Re: [Full-disclosure] How to protect RFI ??
- References:
- [Full-disclosure] How to protect RFI ??
- From: Mark Sec
- [Full-disclosure] How to protect RFI ??
- Prev by Date: [Full-disclosure] How to protect RFI ??
- Next by Date: [Full-disclosure] PHRACK 64 Released
- Previous by thread: [Full-disclosure] How to protect RFI ??
- Next by thread: Re: [Full-disclosure] How to protect RFI ??
- Index(es):
Relevant Pages
|
|
