|
-
Question about PHP security
I have lately been reading into PHP security a bit to sharpen up on my knowledge.
A couple months ago I have a "white hat" hacker come to me about one of my sites where he was able to actually get the contents of my PHP scripts (not the client side code, the actual PHP code) by using an LFI approach (Local File Inclusion).
I read into the issue and had a few ideas and made some adjustments to the PHP.ini file but I was curious as to how exactly he was able to do that? Does anyone know of any good articles out there that go into alot of detail or mind explaining it a little?
I assume most of the time this happens is due to a faulty php.ini configuration by the server host as mostly I work with clients who have shared hosting, would that be accurate?
-
Hi,
not exactly faulty ....
PHP allows a lot of things, and most users use just a subset of the functionality (and perhaps dont care about any risks associated with the rest). So, for some users it might be essential to retrieve data from another website, while for others it is just an extra risk.
One possible strategy - but not for a mass hoster - would be for the hosting company to make php.ini changes upon customers' request, but ask the customer to demonstrate the scripts that need a specific change
Musicman
-
Yeah, with mosts hosts I can upload my own php.ini file according to my needs but in the case that I cannot I just wanted to figure out some other methods of preventing LFI attacks.
-
Hi,
I believe this specific case has been handled by the php community with separate settings to allow opening an url, and to allow inclusion of a remote url into your website, so you could just ask to have the hosts upgraded
Musicman
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|
Reply With Quote