full-disclosure-uk May 2007 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: Re: [Full-disclosure] How to protect RFI ??

Re: [Full-disclosure] How to protect RFI ??

From: Jamie Riden <jamie.riden_at_nospam>
Date: Sat May 26 2007 - 21:16:12 GMT
To: "Mark Sec" <mark.sec@gmail.com>


On 26/05/07, Mark Sec <mark.sec@gmail.com> wrote:
>
>
> does any1 how to protect about RFI (Remote file inclusion), and what i need
> to see over php files ?
>
> -mark

Briefly:
1. Secure your php install - turn off allow_url_fopen and allow_url_include in php.ini
2. Make sure your PHP app is not vulnerable - an attacker shouldn't be able to control what's included. This should protect you from local file inclusion as well.
3. Use suhosin and/or mod_security
4. (maybe) configure your firewall to disallow outbound connections initiated by the webserver

cheers,
 Jamie



Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/