WebApp Sec mailing list archives
Re: Mambo, Coppermine and PHPBB Attacks
From: Yasuo Ohgaki <yohgaki () ohgaki net>
Date: Mon, 26 Dec 2005 05:38:39 +0900
Paul Laudanski wrote:
On Sun, 25 Dec 2005, Yasuo Ohgaki wrote:It's great if this failsafe feature works as expected. Nobody can guarantee newbie php programmer make such hole in an app. These changes made allow_url_fopen=off useless.Its not about a single solution being the silver bullet. The only security is defense in depth. You build secure code. You filter input and output. You configure php.ini properly. You configure httpd.conf properly. Install mod_security. Install an IDS that filters for well known attacks against your server. Install a reporting tool that monitors your logs. Make sure your PHP reports warnings, errors, and fix them... Point is... its only a step in the overall level of layered security. The more tools you put up, as you require or can use but only you can determine that, the more an attacker has to get thru.
I agree. But I don't insist nx bit support is useless. Failsafe feature would be nice, especially if there are many programmers. If building secure code is easy, there would be no buffer overflows in recent C/C++ programs. Anyway, most php script do not need remote script execution feature. And even with SELinux, it cannot prevent to execute remote code while access to local file could be rejected and reported. Making allow_url_fopen useless is bad thing. Remote code execution bug is common pit hole for newbie php programmers. -- Yasuo Ohgaki
Current thread:
- Mambo, Coppermine and PHPBB Attacks Mark Ryan del Moral Talabis (Dec 18)
- RE: Mambo, Coppermine and PHPBB Attacks John Cobb (Dec 19)
- Re: Mambo, Coppermine and PHPBB Attacks Paul Laudanski (Dec 20)
- Re: Mambo, Coppermine and PHPBB Attacks Tofik Suleymanov (Dec 20)
- Re: Mambo, Coppermine and PHPBB Attacks Paul Laudanski (Dec 21)
- Re: Mambo, Coppermine and PHPBB Attacks Yasuo Ohgaki (Dec 24)
- Re: Mambo, Coppermine and PHPBB Attacks Paul Laudanski (Dec 24)
- Re: Mambo, Coppermine and PHPBB Attacks Yasuo Ohgaki (Dec 25)
- Re: Mambo, Coppermine and PHPBB Attacks Paul Laudanski (Dec 25)
- Re: Mambo, Coppermine and PHPBB Attacks Yasuo Ohgaki (Dec 29)
- Re: Mambo, Coppermine and PHPBB Attacks ascii (Dec 29)
- Re: Mambo, Coppermine and PHPBB Attacks Andrew van der Stock (Dec 29)
- Re: Mambo, Coppermine and PHPBB Attacks Tofik Suleymanov (Dec 20)
- Re: Mambo, Coppermine and PHPBB Attacks Jack Tennessee (Dec 22)