You are Here: FAQ ->Scripting and Programming Languages->Malware->Article #18


How can I defend against an RFI attack?


What you have to do is secure your scripts against attacks like this for example by hard coding the possible values “$page” can have in an array
or checking page for “://” before including it.

If you did not write the script you will need to contact the script developer to get a security update.

There are two other common ways to defend against an RFI attack, disabling global variables and disabling url_fopen.

With global variables (register_globals) disabled this type of remote file inclusion is not possible.

While url_fopen is enabled, it is possible to fetch remote content in an unsanitized include statement. This is one of the major security holes in PHP.


Print Article
How useful was this article?
(From 5 = Very Useful to 1 = Not useful at all):
1 2 3 4 5


 © 2008 1&1 Internet Inc - About 1&1 Internet