How to patch Remote File Include

[Mister0]

HI all friends!
Many and many time we see RFI in CMS,on various sites that talk about security,database of vuln.But I've not never found a paper,a tutorial,a document,a video,that tell me "how to patch a RFI"

Can anyone help me?

Thanks!

[shamanvirtuel]

well first i can advise you is to disable php register_globals
just include this script in your php file (this script don't edit php.ini)

Code:

<?php

if (ini_get(register_globals))  
{ // Unset $_GET keys
  foreach ($_GET as $get_key => $get_value) {
    if (ereg('^([a-zA-Z]|_){1}([a-zA-Z0-9]|_)*$', $get_key)) eval("unset(\${$get_key});");
  } // Unset $_POST keys
  foreach ($_POST as $post_key => $post_value) {
    if (ereg('^([a-zA-Z]|_){1}([a-zA-Z0-9]|_)*$', $post_key)) eval("unset(\${$post_key});");

  } // Unset $_REQUEST keys
  foreach ($_REQUEST as $request_key => $request_value) {
    if (ereg('^([a-zA-Z]|_){1}([a-zA-Z0-9]|_)*$', $request_key)) eval("unset(\${$request_key});");
  }
}
?>

hope helps... i don't have any urls in mind for now, but i've this somewhere in my link bank
.....
will post when find the links

[imported_wyze]

HI all friends!
Many and many time we see RFI in CMS,on various sites that talk about security,database of vuln.But I've not never found a paper,a tutorial,a document,a video,that tell me "how to patch a RFI"

Can anyone help me?

Thanks!

I'm a little confused by your question... are you trying to patch your own server from allowing remote file includes? (i.e. your hosting websites and do not want to allow your vhosts to have RFI capabilities?)

[Mister0]

Thanks for reply!
I know the option of php.ini to disable RFI,but my question was for RFI in a source of a webpage.
For example:

Code:

<?php
$bug = $_GET['bug'];
include $bug;
?>

To fix this I use:

Code:

defined ( $bug ) or die ("FIXED!!!");

Well.If the user MUST input something,how can I fix this?
Which are all methods to fix the RFI?

Thanks!