Package: mantis Version: 1.1.6+dfsg-2lenny1 Severity: wishlist Hi,
would you add these options to the default settings of Apache's config for mantis? I'm running phpmyadmin with these options set and don't have any problems, but I don't use all features, hence these settings might not be useful for everybody. But the idea should be clear: disable PHP features aren't used by mantis and restrict access to make live of bad boys harder they misuse functions of mantis. Mantis uses not the PHP features url fopen or one of the functions to run a shell function or opening a socket to the outside. I think these features should be disabled. Also the restriction of open_basedir would be helpful. php_admin_flag display_errors Off php_admin_flag log_errors On php_admin_flag html_errors Off php_admin_flag allow_url_fopen Off php_admin_flag safe_mode On php_admin_value upload_tmp_dir "/tmp" php_admin_value open_basedir "/usr/share/mantis/www/:/etc/mantis/:/usr/share/php/libphp-phpmailer/:/usr/share/php/adodb/:/tmp/" php_admin_value disable_functions "exec,passthru,popen,proc_open,shell_exec,system,socket_create,fsockopen,pfsockopen" Bye, Jörg. -- System Information: Debian Release: unstable/experimental APT prefers unstable APT policy: (900, 'unstable'), (700, 'experimental') Architecture: powerpc (ppc) Kernel: Linux 2.6.36-rc5+ Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
signature.asc
Description: Digital signature http://en.wikipedia.org/wiki/OpenPGP
