Global PHP Settings
Hopefully, we will never need register globals or transparent SIDs. Register globals is a huge and long standing PHP security risk, and automatic session IDs make it easy to hijack someone's session (because the session id is reported to the next website they click to). Allowing urls in fopen is a big vulnerability to cross site scripting attacks.
/etc/php4/apache/php.ini:
session.use_trans_sid = off
session.auto_start = off
register_globals = off
allow_url_fopen = off
alternately, in apache configs:
php_admin_flag session.use_trans_sid 0
php_admin_flag session.auto_start 0
php_admin_flag register_globals 0
php_admin_flag allow_url_fopen 0
also:
Options -Indexes
Options +FollowSymLinks
|
