Fw: About malicious java sciprt running...
From: GUs (rootz_at_fibertel.com.ar)
Date: 12/10/03
- Previous message: Rod Trent: "RE: Messenger service abuse (from inside the network)"
- Maybe in reply to: Trystano_at_aol.com: "About malicious java sciprt running..."
- Next in thread: Steve: "security awareness employee briefings"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <s970501@ku.edu.np>, <security-basics@securityfocus.com> Date: Tue, 9 Dec 2003 20:14:55 -0300
In fact, if Global Variables is set to "YES" in your php config, then you
have a big problem.
Because de $a variable could be i.e.:
http://host.com/file.php?var=../../../../etc/passwd
This issue depend of your entire system configuration.
1) Restrict the permissions that your script could invoque.
There is a few lines in your config file to do that.
2) Chrooting APACHE will give you more security and it is a
good practice in web-server security even if an "atacker" has compromised
your system. But there is always more :).
3)Read http://www.linuxsecurity.com/articles/documentation_article-5788.html
to know about secure prgramming techniques over php.
There is a lot of techniques to protect your webserver and good
secure programming, but this is "security-basics" and all this could be
enough for now.
Keeps your eyes open and your mind free. Review 1000 times your codes.
Protect your network.
Watch out with your Routers. Patch it all. :)
cheers,
(EthNic)
Gustavo T.
IT-Student & Tech support.
---------------------------------------------------------------------------
----------------------------------------------------------------------------
- Previous message: Rod Trent: "RE: Messenger service abuse (from inside the network)"
- Maybe in reply to: Trystano_at_aol.com: "About malicious java sciprt running..."
- Next in thread: Steve: "security awareness employee briefings"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
