Also please don't overlook basic file system security. This one is a bigger crime than coding in an unintentional vulnerability in my opinion. I just have to shake my head when I see these defacements happen that wouldn't have happened if they just applied basic/proper file system security. I have seen tutorials that tell the user to change the ownership of their web directory structure to the same user the web server runs under. Duh!! Someone deface my web site, PLEASE! Even if a PHP script is exploited if the exploiter doesn't have permission to drop his files the site won't be defaced in most instances. Also, don't forget to think about the security on the underlying database. Does the script user really need to be granted INSERT,UPDATE,DELETE?

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/427/34248#34248