Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

php hardening #8147

Open
noci2012 opened this issue Dec 18, 2024 · 1 comment
Open

php hardening #8147

noci2012 opened this issue Dec 18, 2024 · 1 comment
Labels
support Community support

Comments

@noci2012
Copy link

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

Describe the bug

AFAICT from the php sources fopen is ONLY used for opening local files. So allowing opening Internet related resource is probably not needed => should be discouraged.
(can't vouch for non-installed modules though),

allow_url_fopen = Off

Similar option:

allow_url_include = off

which could allow getting files though the network/

(Note: on other systems this often is an issue, lynis an audit tool warns for these issues, see also
lynis website: https://cisofy.com/lynis/controls/PHP-2376/ , https://cisofy.com/lynis/controls/PHP-2378 )

Tip: to validate your setup was working with the previous version, use opnsense-revert (https://docs.opnsense.org/manual/opnsense_tools.html#opnsense-revert)

To Reproduce

Check configs

Expected behavior

N/A

Describe alternatives you considered

N/A

Screenshots

N/A

Relevant log files

N/A

Additional context

Lynis audit run on OPNSense might help
(Lynis knows about BSD, just not OPNSense so there might be false positives).
I will try to get Lynis fixed as well.

Environment

Software version used and hardware type if relevant, e.g.:

OPNsense 24.7.10 (amd64).
Intel® i7
Network Intel®

@fichtner
Copy link
Member

#7561

@fichtner fichtner added the support Community support label Dec 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
support Community support
Development

No branches or pull requests

2 participants