[Full-disclosure] How to protect RFI ??
Jamie Riden
jamie.riden at gmail.com
Sat May 26 22:16:12 BST 2007
On 26/05/07, Mark Sec <mark.sec at gmail.com> wrote:
>
>
> does any1 how to protect about RFI (Remote file inclusion), and what i need
> to see over php files ?
>
> -mark
Briefly:
1. Secure your php install - turn off allow_url_fopen and
allow_url_include in php.ini
2. Make sure your PHP app is not vulnerable - an attacker shouldn't be
able to control what's included. This should protect you from local
file inclusion as well.
3. Use suhosin and/or mod_security
4. (maybe) configure your firewall to disallow outbound connections
initiated by the webserver
cheers,
Jamie
Full-Disclosure is hosted and sponsored by Secunia.