Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Full-disclosure] How to protect RFI ??

from [Mark Sec] Network Security [Permanent Link]
Subject: Re: [Full-disclosure] How to protect RFI ??
Date: Mon, 28 May 2007 04:41:42 +0200 
G00d thanks,
does any1 know a tool for looking vulnerabilities "inside" of my *.php files
? or something to automated the "search" vulnerabilities?

- mark




On 26/05/07, Jamie Riden <jamie.riden@gmail.com> wrote: 

On 26/05/07, Mark Sec <mark.sec@gmail.com> wrote:
>
>
> does any1 how to protect about RFI (Remote file inclusion), and what i
need
> to see over php files ?
>
> -mark

Briefly:
1. Secure your php install - turn off allow_url_fopen and
allow_url_include in php.ini
2. Make sure your PHP app is not vulnerable - an attacker shouldn't be
able to control what's included. This should protect you from local
file inclusion as well.
3. Use suhosin and/or mod_security
4. (maybe) configure your firewall to disallow outbound connections
initiated by the webserver

cheers,
Jamie

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Full-disclosure] OpenOffice.org 2.2.0 Writer DoS vulnerability, carl hardwick
Next by Date:  Re: [Full-disclosure] How to protect RFI ??, Andrew Farmer
Previous by Thread:  Re: [Full-disclosure] How to protect RFI ??, Jamie Riden
Next by Thread:  Re: [Full-disclosure] How to protect RFI ??, Andrew Farmer
Indexes:  [Date] [Thread] [Top] [All Lists]