Network Security: Detailed info on Re: [Full-disclosure] How to protect RFI ??

Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.

Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.

Network Security FullDisclosure

[Top] [All Lists]

Re: [Full-disclosure] How to protect RFI ??

from [Jamie Riden] Network Security

[Permanent Link]

Subject:	Re: [Full-disclosure] How to protect RFI ??
Date:	Sat, 26 May 2007 22:16:12 +0100

On 26/05/07, Mark Sec <mark.sec@gmail.com> wrote:



does any1 how to protect about RFI (Remote file inclusion), and what i need
to see over php files ?

-mark


Briefly:
1. Secure your php install - turn off allow_url_fopen and
allow_url_include in php.ini
2. Make sure your PHP app is not vulnerable - an attacker shouldn't be
able to control what's included. This should protect you from local
file inclusion as well.
3. Use suhosin and/or mod_security
4. (maybe) configure your firewall to disallow outbound connections
initiated by the webserver

cheers,
 Jamie

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[More messages with this same subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
[Full-disclosure] How to protect RFI ??, Mark Sec Re: [Full-disclosure] How to protect RFI ??, Jamie Riden <= Re: [Full-disclosure] How to protect RFI ??, Mark Sec Re: [Full-disclosure] How to protect RFI ??, Andrew Farmer Re: [Full-disclosure] How to protect RFI ??, Kradorex Xeron

Previous by Date:	[Full-disclosure] How to protect RFI ??, Mark Sec
Next by Date:	[Full-disclosure] PHRACK 64 Released, The Circle of Lost Hackers
Previous by Thread:	[Full-disclosure] How to protect RFI ??, Mark Sec
Next by Thread:	Re: [Full-disclosure] How to protect RFI ??, Mark Sec
Indexes:	[Date] [Thread] [Top] [All Lists]