Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Full-disclosure] How to protect RFI ??

from [Kradorex Xeron] Network Security [Permanent Link]
Subject: Re: [Full-disclosure] How to protect RFI ??
Date: Sun, 27 May 2007 00:35:26 -0400 
On Saturday 26 May 2007 16:37, Mark Sec wrote:

does any1 how to protect about RFI (Remote file inclusion), and what i need
to see over php files ?

-mark


On a script basis:
1. Parse input for validity
2. Don't allow urls to be unconditionally accepted
3. Don't allow XSS bymaking sure input is genuine and doesn't contain extra 
characters than are expected.

On a server-basis:
If it is a server that will be hosting users, I suggest deactivating RFI 
all-together as users may install scripts that don't check input, 
Furthermore, disable sockets to prevent users from starting up their 
own "services" and/or backdoors, even though there may not be privledged 
access, if a user gets a shell of some sort, they may be able to get your 
system roped into a botnet or filestore under the HTTPD's account.

However, if it will only be hosting you, then it may be acceptable to leave 
the default config and make sure scripts behave on a per-script basis as RFI 
may be eventually useful for you if you parse the include input.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Full-disclosure] PHRACK 64 Released, The Circle of Lost Hackers
Next by Date:  Re: [Full-disclosure] Linux big bang theory...., Pavel Kankovsky
Previous by Thread:  Re: [Full-disclosure] How to protect RFI ??, Andrew Farmer
Next by Thread:  [Full-disclosure] PHRACK 64 Released, The Circle of Lost Hackers
Indexes:  [Date] [Thread] [Top] [All Lists]