Security Basics mailing list archives

Fw: About malicious java sciprt running...

From: "GUs" <rootz () fibertel com ar>
Date: Tue, 9 Dec 2003 20:14:55 -0300

 In fact, if Global Variables is set to "YES" in your php config, then you
have  a big problem.
Because de $a variable could be i.e.:
http://host.com/file.php?var=../../../../etc/passwd
This issue depend of your entire system configuration.
1) Restrict the permissions that your script could invoque.
There is a few lines in your config file to do that.
2) Chrooting APACHE will give you more security and it is a
good practice in web-server security even if an "atacker" has compromised
your system. But there is always more :).
3)Read http://www.linuxsecurity.com/articles/documentation_article-5788.html
to know about secure prgramming techniques over php.
There is a lot of techniques to protect your webserver and good
secure programming, but this is "security-basics" and all this could be
enough for now.
Keeps your eyes open and your mind free. Review 1000 times your codes.
Protect your network.
Watch out with your Routers. Patch it all. :)
cheers,

(EthNic)
Gustavo T.
IT-Student & Tech support.



---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

About malicious java sciprt running... s970501 (Dec 09)
- Re: About malicious java sciprt running... Shaun Colley (Dec 09)
- Re: About malicious java sciprt running... オマルイスマイル (Dec 10)
- Re: About malicious java sciprt running... Hugo Teso Torío (Dec 10)
- <Possible follow-ups>
- About malicious java sciprt running... Trystano (Dec 09)
  - security awareness employee briefings Steve (Dec 10)
- Fw: About malicious java sciprt running... GUs (Dec 10)