BugTraq
PHP security (or the lack thereof) Jun 16 2006 11:21AM
Darren Reed (avalon caligula anu edu au) (4 replies)
Re: PHP security (or the lack thereof) Jun 22 2006 12:15PM
john mullee (jmullee yahoo com) (1 replies)
Re: PHP security (or the lack thereof) Jun 24 2006 10:42PM
Darren Reed (avalon caligula anu edu au) (2 replies)
Re: PHP security (or the lack thereof) Jun 27 2006 05:47AM
Tonnerre Lombard (tonnerre lombard sygroup ch) (1 replies)
Re: PHP security (or the lack thereof) Jun 27 2006 10:27AM
Darren Reed (avalon caligula anu edu au)
Re: PHP security (or the lack thereof) Jun 27 2006 03:38AM
Ronald Chmara (ron Opus1 COM) (1 replies)
Re: PHP security (or the lack thereof) Jul 05 2006 04:17PM
Dan Falconer (dan avsupport com) (1 replies)
Re: PHP security (or the lack thereof) Jul 06 2006 06:47AM
Darren Reed (avalon caligula anu edu au)
Re: PHP security (or the lack thereof) Jun 19 2006 05:07PM
Neil Neely (neil frii com) (1 replies)

On Jun 16, 2006, at 5:21 AM, Darren Reed wrote:

[Funny commentary picking on PHP deleted]

For those of us that have to administer shared hosting servers where
customers can and do build/install very poorly written web
applications it can be a full time job trying to protect your
server. The fact that the majority of these target PHP is
interesting, but frankly not really relevant to those of us that need
to maintain the environment. Due to the aggressive attempts to
exploit these web applications we found we needed to do something
more, and we found an excellent tool that helps out a lot with this,
at least on servers running apache:

http://www.modsecurity.org/

It is essentially an application layer firewall that blocks certain
known bad patterns from being passed through to the underlying web
applications. This is in no way a substitute for good security
policies on your web servers and ultimately fixing the underlying
security problems of the web applications. When tuned well it can be
a useful additional layer to help defend your server. It won't stop
the underlying application from having terrible logic that is
exploitable, but as you tune your modsecurity setup over time you can
at least mitigate some of it.

I just wanted to pass this on in case any admins reading this list
didn't know about it. It's really saved us a lot of time and energy.

Cheers,
Neil

[ reply ]
RE: [lists] Re: PHP security (or the lack thereof) Jul 16 2006 11:26PM
Curt Purdy (purdy tecman com)
Re: PHP security (or the lack thereof) Jun 17 2006 01:50AM
Jose Nazario (jose monkey org) (1 replies)
Re: PHP security (or the lack thereof) Jun 17 2006 06:06PM
Geo. (geoincidents nls net) (2 replies)
Re: PHP security (or the lack thereof) Jun 22 2006 01:01AM
Crispin Cowan (crispin novell com)
Re: PHP security (or the lack thereof) Jun 20 2006 04:54AM
kicktd (cooljay1804ml bellsouth net) (1 replies)
Re: PHP security (or the lack thereof) Jun 20 2006 10:02AM
Geo. (geoincidents nls net)
Re: PHP security (or the lack thereof) Jun 16 2006 11:06PM
Bojan Zdrnja (bojan zdrnja gmail com) (1 replies)
Re: PHP security (or the lack thereof) Jun 17 2006 05:08PM
Jessica Hope (jessicasaulhope googlemail com)


 

Privacy Statement
Copyright 2010, SecurityFocus