Full Disclosure mailing list archives
Re: GOnicus System Administrator php injection
From: Melvyn Sopacua <msopacua () idg nl>
Date: Mon, 24 Feb 2003 00:59:32 +0100 (CET)
On Sun, 23 Feb 2003, Karol [iso-8859-2] Wiêsek wrote: [snip backgroud, exploit analysis and version info] Ki82Ws>>> Temporary solution is to enable apache .htaccess authentication Ki82Ws>>> in all subdirectories containing .php files, which are included, not Ki82Ws>>> accessed directly. Ki82Ws>>> Ki82Ws>>> Example .htaccess file Ki82Ws>>> Ki82Ws>>> AuthType Basic Ki82Ws>>> AuthName koza Ki82Ws>>> UserAuthFile /dev/null That would be: AuthUserFile /dev/null <http://httpd.apache.org/docs/mod/mod_auth.html#authuserfile> Ki82Ws>>> require valid-user Or perhaps: allow_url_fopen = Off in php.ini and restart apache. -- With kind regards, Melvyn Sopacua <?php include("not_reflecting_employers_views.txt"); ?> _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- GOnicus System Administrator php injection Karol Więsek (Feb 23)
- Re: GOnicus System Administrator php injection Melvyn Sopacua (Feb 23)
- Re: GOnicus System Administrator php injection Dmitry Alyabyev (Feb 24)
- Re: GOnicus System Administrator php injection Melvyn Sopacua (Feb 23)