Apache PHP Config

From C4 Wiki
Revision as of 03:09, 5 November 2004 by 81.173.134.29 (talk)
Jump to: navigation, search

This is a start, find out more here

safe_mode = On
register_globals = Off
allow_url_fopen = Off
expose_php = Off
display_errors = Off
log_errors = On

Why ? Well look at this list (found on full-disclosure):

  • 2004-10-28: PHP cURL Open_Basedir Restriction Bypass Vulnerability
  • 2004-10-25: PHP Remote Arbitrary Location File Upload Vulnerability
  • 2004-10-25: PHP PHP_Variables Remote Memory Disclosure Vulnerability
  • 2004-10-16: PHP memory_limit Remote Code Execution Vulnerability
  • 2004-09-15: PHP Strip_Tags() Function Bypass Vulnerability
  • 2004-06-07: PHP Microsoft Windows Shell Escape Functions Command Execution Vulnerability
  • 2004-05-27: PHP Input/Ouput Wrapper Remote Include Function Command Execution Weakness
  • 2004-03-24: PHP openlog() Buffer Overflow Vulnerability
  • 2003-11-07: PHP emalloc() Unspecified Integer Overflow Memory Corruption Vulnerability
  • 2003-11-07: PHP wordwrap() Heap Corruption Vulnerability
  • 2003-09-24: PHP4 Multiple Vulnerabilities
  • 2003-09-24: PHP4 Base64_Encode() Integer Overflow Vulnerability
  • 2003-08-25: PHP Transparent Session ID Cross Site Scripting Vulnerability
  • 2003-08-13: PHP Mail Function ASCII Control Character Header Spoofing Vulnerability
  • 2003-08-13: PHP Function CRLF Injection Vulnerability
  • 2003-08-13: PHP DLOpen Memory Disclosure Vulnerability
  • 2003-07-17: PHP Undefined Safe_Mode_Include_Dir Safemode Bypass Vulnerability
  • 2003-06-08: PHP STR_Repeat Boundary Condition Error Vulnerability
  • 2003-06-08: PHP array_pad() Integer Overflow Memory Corruption Vulnerability
  • 2003-06-04: PHP PHPInfo Cross-Site Scripting Vulnerability
  • 2003-05-19: PHP Post File Upload Buffer Overflow Vulnerabilities
  • 2003-05-07: PHP SafeMode Arbitrary File Execution Vulnerability
  • 2003-04-14: PHP MySQL Safe_Mode Filesystem Circumvention Vulnerability
  • 2003-03-26: PHP socket_recvfrom() Signed Integer Memory Corruption Vulnerability
  • 2003-03-26: PHP socket_recv() Signed Integer Memory Corruption Vulnerability
  • 2003-03-25: PHP socket_iovec_alloc() Integer Overflow Vulnerability
  • 2003-02-19: PHP CGI SAPI Code Execution Vulnerability
  • 2003-01-08: PHP 4.0.3 IMAP Module Buffer Overflow Vulnerability
  • 2002-09-07: PHP Header Function Script Injection Vulnerability
  • 2002-08-08: PHP HTTP POST Incorrect MIME Header Parsing Vulnerability
  • 2002-07-22: PHP Interpreter Direct Invocation Denial Of Service Vulnerability
  • 2002-04-25: PHP posix_getpwnam / posix_getpwuid safe_mode Circumvention Vulnerability
  • 2002-03-21: PHP Move_Uploaded_File Open_Basedir Circumvention Vulnerability
  • 2002-02-08: PHP Include File Relative Directory Information Disclosure Vulnerability
  • 2002-01-15: PHP4 Session Files Local Information Disclosure Vulnerability
  • 2001-01-16: PHP .htaccess Attribute Transfer Vulnerability
  • 2001-01-12: PHP Engine Disable Source Viewing Vulnerability
  • 2000-10-12: PHP Error Logging Format String Vulnerability
  • 2000-09-03: PHP Upload Arbitrary File Disclosure Vulnerability
  • 2000-01-04: PHP3 'safe_mode' Failure Vulnerability
  • 1999-06-01: PHP/FI Buffer Overflow Vulnerability
  • 1999-06-01: PHP/FI mylog/mlog Vulnerability
  • 1999-06-01: PHP/FI Directory Traversal Vulnerability

(careful, fud included)