Results 1 to 4 of 4

Thread: How to patch Remote File Include

  1. #1
    Just burned his ISO
    Join Date
    Dec 2006
    Posts
    14

    Default How to patch Remote File Include

    HI all friends!
    Many and many time we see RFI in CMS,on various sites that talk about security,database of vuln.But I've not never found a paper,a tutorial,a document,a video,that tell me "how to patch a RFI"

    Can anyone help me?

    Thanks!

  2. #2
    Senior Member shamanvirtuel's Avatar
    Join Date
    Mar 2010
    Location
    Somewhere in the "Ex" human right country
    Posts
    2,988

    Default

    well first i can advise you is to disable php register_globals
    just include this script in your php file (this script don't edit php.ini)

    Code:
    <?php
    
    if (ini_get(register_globals))  
    { // Unset $_GET keys
      foreach ($_GET as $get_key => $get_value) {
        if (ereg('^([a-zA-Z]|_){1}([a-zA-Z0-9]|_)*$', $get_key)) eval("unset(\${$get_key});");
      } // Unset $_POST keys
      foreach ($_POST as $post_key => $post_value) {
        if (ereg('^([a-zA-Z]|_){1}([a-zA-Z0-9]|_)*$', $post_key)) eval("unset(\${$post_key});");
    
      } // Unset $_REQUEST keys
      foreach ($_REQUEST as $request_key => $request_value) {
        if (ereg('^([a-zA-Z]|_){1}([a-zA-Z0-9]|_)*$', $request_key)) eval("unset(\${$request_key});");
      }
    }
    ?>

    hope helps... i don't have any urls in mind for now, but i've this somewhere in my link bank
    .....
    will post when find the links
    Watch your back, your packetz will belong to me soon... xD

    BackTrack :
    Giving Machine Guns to Monkeys since 2006

  3. #3
    Jenkem Addict imported_wyze's Avatar
    Join Date
    Jul 2007
    Posts
    1,543

    Default

    Quote Originally Posted by Mister0 View Post
    HI all friends!
    Many and many time we see RFI in CMS,on various sites that talk about security,database of vuln.But I've not never found a paper,a tutorial,a document,a video,that tell me "how to patch a RFI"

    Can anyone help me?

    Thanks!
    I'm a little confused by your question... are you trying to patch your own server from allowing remote file includes? (i.e. your hosting websites and do not want to allow your vhosts to have RFI capabilities?)
    dd if=/dev/swc666 of=/dev/wyze

  4. #4
    Just burned his ISO
    Join Date
    Dec 2006
    Posts
    14

    Default

    Thanks for reply!
    I know the option of php.ini to disable RFI,but my question was for RFI in a source of a webpage.
    For example:
    Code:
    <?php
    $bug = $_GET['bug'];
    include $bug;
    ?>
    To fix this I use:
    Code:
    defined ( $bug ) or die ("FIXED!!!");
    Well.If the user MUST input something,how can I fix this?
    Which are all methods to fix the RFI?

    Thanks!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •