Security Incidents mailing list archives
Re: How to determine which PHP-script allows spamming?
From: ascii <ascii () katamail com>
Date: Fri, 14 Apr 2006 03:03:29 +0200
Kurt Seifried wrote:
not allow it to request things). If you want to be really anal simply disallow any outgoing connection attempts for TCP SYN, this will prevent
i love bofh solutions and have to agree with Seifried in php you can do this by allow_url_fopen 0 allow_url_fopen "1" PHP_INI_SYSTEM PHP_INI_ALL in PHP <= 4.3.4. Available since PHP 4.0.4. this don't stop your clients from using functions like fsockopen and socket_ so people that need to fetch remote data is still able use these functions and handle a simple http get request manually this is like open_basedir that doesn't affect (naturally) exec/system/shell_exec/proc_/passthru/backtick functions anyway filter the outgoing traffic != allow_url_fopen 0 also a transparent squid on the gateway of your web servers could be a good idea to identify abuses regards, Francesco 'ascii' Ongaro, http://www.ush.it/
Current thread:
- Re: How to determine which PHP-script allows spamming? Rainer Duffner (Apr 13)
- Re: How to determine which PHP-script allows spamming? Kurt Seifried (Apr 13)
- Re: How to determine which PHP-script allows spamming? ascii (Apr 14)
- Re: How to determine which PHP-script allows spamming? Kari Asikainen (Apr 14)
- Re: How to determine which PHP-script allows spamming? Rainer Duffner (Apr 15)
- Re: How to determine which PHP-script allows spamming? Ademar Gonzalez (Apr 15)
- Re: How to determine which PHP-script allows spamming? Kurt Seifried (Apr 13)