[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] How to protect RFI ??

To: "Mark Sec" <mark.sec@xxxxxxxxx>
Subject: Re: [Full-disclosure] How to protect RFI ??
From: "Jamie Riden" <jamie.riden@xxxxxxxxx>
Date: Sat, 26 May 2007 22:16:12 +0100

On 26/05/07, Mark Sec <mark.sec@xxxxxxxxx> wrote:
>
>
> does any1 how to protect about RFI (Remote file inclusion), and what i need
> to see over php files ?
>
> -mark

Briefly:
1. Secure your php install - turn off allow_url_fopen and
allow_url_include in php.ini
2. Make sure your PHP app is not vulnerable - an attacker shouldn't be
able to control what's included. This should protect you from local
file inclusion as well.
3. Use suhosin and/or mod_security
4. (maybe) configure your firewall to disallow outbound connections
initiated by the webserver

cheers,
 Jamie

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] How to protect RFI ??
  - From: Mark Sec

References:
- [Full-disclosure] How to protect RFI ??
  - From: Mark Sec

Prev by Date: [Full-disclosure] How to protect RFI ??
Next by Date: [Full-disclosure] PHRACK 64 Released
Previous by thread: [Full-disclosure] How to protect RFI ??
Next by thread: Re: [Full-disclosure] How to protect RFI ??
Index(es):
- Date
- Thread