lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
From: bonemach at sdf.lonestar.org (Bonemach)
Subject: Re: Information Disclosure with Invision Board installation (fwd)

You might also want to send the PHP error messages to syslog instead of 
to the web. This can be configured in php.ini

Bone Machine

---
"Break my body, hold my bones" -- The Pixies
---

Ka wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Well, Gossi,
> 
> I agree with your standpoint. Some "project leaders"
> easily turn into "project defenders" when one takes
> a closer look at their project. .o)
> 
> 
> So the advice for any server with "Invision Board" installed 
> is to disable phpinfo() in the php startup file in addition
> to setting safe-mode = On and perhaps specifying a special 
> safe_mode_exec_dir.
> 
> 
> - -- see /etc/php.ini --
> 
> ; This directive allows you to disable certain functions for security reasons.
> ; It receives a comma-deliminated list of function names.  This directive is
> ; *NOT* affected by whether Safe Mode is turned On or Off.
> disable_functions = phpinfo
> 
> - ----------------------
> 
> 
> 
> 
> Ka
> - -- 
> "It's the perfect time of day
> to throw all your cares away"  Barenaked Ladies
> http://www.khidr.net/users/ka/pgpkey.asc
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
> 
> iD8DBQE9kaQf72vu22ltWBERAmZSAJ9zCkpzTzh0d/XQ7JmRtRU4eIQs9wCffao1
> xBEznfgI7TidhIhG8wOJYF8=
> =rUAX
> -----END PGP SIGNATURE-----
> 




Powered by blists - more mailing lists