Full Disclosure mailing list archives
Re: How to protect RFI ??
From: "Mark Sec" <mark.sec () gmail com>
Date: Mon, 28 May 2007 04:41:42 +0200
G00d thanks, does any1 know a tool for looking vulnerabilities "inside" of my *.php files ? or something to automated the "search" vulnerabilities? - mark On 26/05/07, Jamie Riden <jamie.riden () gmail com> wrote:
On 26/05/07, Mark Sec <mark.sec () gmail com> wrote: > > > does any1 how to protect about RFI (Remote file inclusion), and what i need > to see over php files ? > > -mark Briefly: 1. Secure your php install - turn off allow_url_fopen and allow_url_include in php.ini 2. Make sure your PHP app is not vulnerable - an attacker shouldn't be able to control what's included. This should protect you from local file inclusion as well. 3. Use suhosin and/or mod_security 4. (maybe) configure your firewall to disallow outbound connections initiated by the webserver cheers, Jamie
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- How to protect RFI ?? Mark Sec (May 26)
- Re: How to protect RFI ?? Jamie Riden (May 26)
- Re: How to protect RFI ?? Mark Sec (May 27)
- Re: How to protect RFI ?? Andrew Farmer (May 27)
- Re: How to protect RFI ?? Mark Sec (May 27)
- Re: How to protect RFI ?? Kradorex Xeron (May 26)
- Re: How to protect RFI ?? Jamie Riden (May 26)