diff options
| -rw-r--r-- | config/default.rules | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/config/default.rules b/config/default.rules index 9dfa68e..040a54b 100644 --- a/config/default.rules +++ b/config/default.rules | |||
| @@ -46,7 +46,8 @@ sp.disable_function.function("putenv").param("setting").value_r("LD_").drop() | |||
| 46 | sp.disable_function.function("putenv").param("setting").value_r("GCONV_").drop() | 46 | sp.disable_function.function("putenv").param("setting").value_r("GCONV_").drop() |
| 47 | 47 | ||
| 48 | # Since people are stupid enough to use `extract` on things like $_GET or $_POST, we might as well mitigate this vector | 48 | # Since people are stupid enough to use `extract` on things like $_GET or $_POST, we might as well mitigate this vector |
| 49 | sp.disable_function.function("extract").param("array").value_r("^_").drop() | 49 | sp.disable_function.function("extract").param("var_array").value_r("^_").drop() |
| 50 | sp.disable_function.function("extract").param("extract_type").value("0").drop() | ||
| 50 | 51 | ||
| 51 | # This is also burned: | 52 | # This is also burned: |
| 52 | # ini_set('open_basedir','..');chdir('..');…;chdir('..');ini_set('open_basedir','/');echo(file_get_contents('/etc/passwd')); | 53 | # ini_set('open_basedir','..');chdir('..');…;chdir('..');ini_set('open_basedir','/');echo(file_get_contents('/etc/passwd')); |