Lockdown of the logging directives

This is done to prevent an attacker who obtained arbitrary code execution to mess with the logging configuration.
author: jvoisin 2019-08-01 11:13:15 +0200
committer: jvoisin 2020-06-07 20:19:30 +0200
commit: e9ca6c39ac734e0e37f78405293e551d7f2863d0 (patch)
tree: 1000494f31de0d272182ea1820dcda129db7fefa /config/default.rules
parent: c709d4f77869c7de84fb717723029bffaf3c3c0a (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/config/default.rules b/config/default.rules
index 040a54b..05dd91d 100644
--- a/config/default.rules
+++ b/config/default.rules
@@ -138,3 +138,8 @@ sp.disable_function.function("curl_setopt").param("option").value("81").drop().a
 #File upload
 sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ph").drop();
 sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ht").drop();
+# Logging lockdown
+sp.disable_function.function("ini_set").param("varname").value_r("error_log").drop()
+sp.disable_function.function("ini_set").param("varname").value_r("error_reporting").drop()
+sp.disable_function.function("ini_set").param("varname").value_r("display_errors").drop()
author	jvoisin	2019-08-01 11:13:15 +0200
committer	jvoisin	2020-06-07 20:19:30 +0200
commit	e9ca6c39ac734e0e37f78405293e551d7f2863d0 (patch)
tree	1000494f31de0d272182ea1820dcda129db7fefa /config/default.rules
parent	c709d4f77869c7de84fb717723029bffaf3c3c0a (diff)

diff --git a/config/default.rules b/config/default.rules index 040a54b..05dd91d 100644 --- a/config/default.rules +++ b/config/default.rules
@@ -138,3 +138,8 @@ sp.disable_function.function("curl_setopt").param("option").value("81").drop().a
138	#File upload	138	#File upload
139	sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ph").drop();	139	sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ph").drop();
140	sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ht").drop();	140	sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ht").drop();
		141
		142	# Logging lockdown
		143	sp.disable_function.function("ini_set").param("varname").value_r("error_log").drop()
		144	sp.disable_function.function("ini_set").param("varname").value_r("error_reporting").drop()
		145	sp.disable_function.function("ini_set").param("varname").value_r("display_errors").drop()