Author: alpeterson
Description:
This is not a catch all for security, however,
most ISP's allow their users to have a .htaccess file...
Most also have globals turned on.. but that is changing...
anyway:
including a .htaccess file like this one:
php_flag register_globals 0
<Files ".ht*">
deny from all
</Files>
will protect quite a few people from any future register_globals security
vulnerabilities
and, you can also do a few things like, make the LocalSettings.php file not be
read when php is out...
by using code like this (works with apache2)...
<IfModule !sapi_apache2.c>
<Files ~ '\.php$'> Order allow,deny Deny from all Allow from none </Files> <Files ~ '\.phps'> Order deny,allow Allow from all </Files>
</IfModule>
you may have to edit it so that it works with other common php variable names...
or just block the viewing of LocalSettings.php at all times...
Version: unspecified
Severity: enhancement