Full Disclosure mailing list archives
Re: How to protect RFI ??
From: Kradorex Xeron <admin () digibase ca>
Date: Sun, 27 May 2007 00:35:26 -0400
On Saturday 26 May 2007 16:37, Mark Sec wrote:
does any1 how to protect about RFI (Remote file inclusion), and what i need to see over php files ? -mark
On a script basis: 1. Parse input for validity 2. Don't allow urls to be unconditionally accepted 3. Don't allow XSS bymaking sure input is genuine and doesn't contain extra characters than are expected. On a server-basis: If it is a server that will be hosting users, I suggest deactivating RFI all-together as users may install scripts that don't check input, Furthermore, disable sockets to prevent users from starting up their own "services" and/or backdoors, even though there may not be privledged access, if a user gets a shell of some sort, they may be able to get your system roped into a botnet or filestore under the HTTPD's account. However, if it will only be hosting you, then it may be acceptable to leave the default config and make sure scripts behave on a per-script basis as RFI may be eventually useful for you if you parse the include input. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- How to protect RFI ?? Mark Sec (May 26)
- Re: How to protect RFI ?? Jamie Riden (May 26)
- Re: How to protect RFI ?? Mark Sec (May 27)
- Re: How to protect RFI ?? Andrew Farmer (May 27)
- Re: How to protect RFI ?? Mark Sec (May 27)
- Re: How to protect RFI ?? Kradorex Xeron (May 26)
- Re: How to protect RFI ?? Jamie Riden (May 26)