[27212] in bugtraq
Re: Information Disclosure with Invision Board installation (fwd)
daemon@ATHENA.MIT.EDU (Bonemach)
Fri Sep 27 16:33:46 2002
Message-ID: <3D92AB6C.8000305@sdf.lonestar.org>
Date: Thu, 26 Sep 2002 08:38:36 +0200
From: Bonemach <bonemach@sdf.lonestar.org>
MIME-Version: 1.0
To: Ka <ka@khidr.net>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
You might also want to send the PHP error messages to syslog instead of
to the web. This can be configured in php.ini
Bone Machine
---
"Break my body, hold my bones" -- The Pixies
---
Ka wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Well, Gossi,
>
> I agree with your standpoint. Some "project leaders"
> easily turn into "project defenders" when one takes
> a closer look at their project. .o)
>
>
> So the advice for any server with "Invision Board" installed
> is to disable phpinfo() in the php startup file in addition
> to setting safe-mode = On and perhaps specifying a special
> safe_mode_exec_dir.
>
>
> - -- see /etc/php.ini --
>
> ; This directive allows you to disable certain functions for security reasons.
> ; It receives a comma-deliminated list of function names. This directive is
> ; *NOT* affected by whether Safe Mode is turned On or Off.
> disable_functions = phpinfo
>
> - ----------------------
>
>
>
>
> Ka
> - --
> "It's the perfect time of day
> to throw all your cares away" Barenaked Ladies
> http://www.khidr.net/users/ka/pgpkey.asc
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
>
> iD8DBQE9kaQf72vu22ltWBERAmZSAJ9zCkpzTzh0d/XQ7JmRtRU4eIQs9wCffao1
> xBEznfgI7TidhIhG8wOJYF8=
> =rUAX
> -----END PGP SIGNATURE-----
>
