[27191] in bugtraq
Re: Information Disclosure with Invision Board installation (fwd)
daemon@ATHENA.MIT.EDU (Ka)
Wed Sep 25 17:51:05 2002
Content-Type: text/plain;
charset="iso-8859-1"
From: Ka <ka@khidr.net>
To: Gossi The Dog <gossi@lab6.com>, full-disclosure@lists.netsys.com,
<bugtraq@securityfocus.com>
Date: Wed, 25 Sep 2002 13:55:10 +0200
In-Reply-To: <Pine.LNX.4.44.0209251147490.18333-100000@kerri.darla.co.uk>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Message-Id: <200209251355.16685.ka@khidr.net>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Well, Gossi,
I agree with your standpoint. Some "project leaders"
easily turn into "project defenders" when one takes
a closer look at their project. .o)
So the advice for any server with "Invision Board" installed
is to disable phpinfo() in the php startup file in addition
to setting safe-mode = On and perhaps specifying a special
safe_mode_exec_dir.
- -- see /etc/php.ini --
; This directive allows you to disable certain functions for security reasons.
; It receives a comma-deliminated list of function names. This directive is
; *NOT* affected by whether Safe Mode is turned On or Off.
disable_functions = phpinfo
- ----------------------
Ka
- --
"It's the perfect time of day
to throw all your cares away" Barenaked Ladies
http://www.khidr.net/users/ka/pgpkey.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE9kaQf72vu22ltWBERAmZSAJ9zCkpzTzh0d/XQ7JmRtRU4eIQs9wCffao1
xBEznfgI7TidhIhG8wOJYF8=
=rUAX
-----END PGP SIGNATURE-----
