Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

full-disclosure () lists grok org uk

From: Stefan Esser <sesser () hardened-php net>
Date: Mon, 20 Jun 2005 15:55:00 +0200
Hello,

if you want to fully protect your customers against each other you need to use
a CGI like implementation. If you have only a few separated vhosts you can also
try to have one httpd per customer and a reverse proxy... 

If you do not want this, you should alteast perform the following steps

        1) chroot the httpd (and remove absolutely everything not needed)
        2) move all document root and tmp (upload/session) dirs per vhost
           to some unguessable location
           like /sites/[md5hash-here]/..../htdocs
        3) Make the /sites directory not readable by the webserver
           (so no enumeration is possible)
        4) Patch PHP so that paths are not disclosed in phpinfo()/errormessages
           (or atleast the md5 component)
        5) ohh yeah and of course have your httpd.conf at some unguessable
           place
        6) disable ALL functions that could execute shell commands
           (if that is not possible, then bad luck)
        7) Finally pray that your users do not install scripts that print
           out the content of __FILE__ on error and so disclose their paths

        8) *Remind yourself that this setup is not foolproof*


Stefan Esser 
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: