Re: [Full-disclosure] How to protect RFI ??

From: Mark Sec <mark.sec_at_nospam>
Date: Mon May 28 2007 - 02:41:42 GMT
To: full-disclosure@lists.grok.org.uk

G00d thanks,
does any1 know a tool for looking vulnerabilities "inside" of my *.php files ? or something to automated the "search" vulnerabilities?

mark

On 26/05/07, Jamie Riden <jamie.riden@gmail.com> wrote:
>
> On 26/05/07, Mark Sec <mark.sec@gmail.com> wrote:
> >
> >
> > does any1 how to protect about RFI (Remote file inclusion), and what i
> need
> > to see over php files ?
> >
> > -mark
>
> Briefly:
> 1. Secure your php install - turn off allow_url_fopen and
> allow_url_include in php.ini
> 2. Make sure your PHP app is not vulnerable - an attacker shouldn't be
> able to control what's included. This should protect you from local
> file inclusion as well.
> 3. Use suhosin and/or mod_security
> 4. (maybe) configure your firewall to disallow outbound connections
> initiated by the webserver
>
> cheers,
> Jamie
>

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

This message: [ Message body ]
Next message: Andrew Farmer: "Re: [Full-disclosure] How to protect RFI ??"
Previous message: carl hardwick: "[Full-disclosure] OpenOffice.org 2.2.0 Writer DoS vulnerability"
In reply to: Jamie Riden: "Re: [Full-disclosure] How to protect RFI ??"
Next in thread: Andrew Farmer: "Re: [Full-disclosure] How to protect RFI ??"
Reply: Andrew Farmer: "Re: [Full-disclosure] How to protect RFI ??"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]