At 07:37 PM 5/8/2005, Stuart Low wrote:
Heya, PHP as a CGI also requires users (read, typically, morons) to add a shebang line to their scripts.
Seems like a small, but ongoing price to pay. I guess the same question over and over could drive you nuts after a while. But then again, it seems like you could give them the a so called PHP safe dir. Call it something like that anyway and that could avoid a few questions. But that raises another question, I never have been able to find the equipment of Execcgi for PHP. It just seems like it is not done. I found one example of a guy who did this with a list of handler statements in an .htaccess file. A horrible idea. A web designer tried to make some additions to the .htaccess file, pooched it and brought down the whole website as a result :)
What we do is put in an open_basedir for all vhosts at a bare minimum. Another favourite is the mod_suexec module additions for mod_php (I forget the exact name). Another countermeasure is mod_security which can block phpBB exploit attempts (and other common ones). Stuart
I would not tend to think very much of open_basedir by itself, but the other options you mention sound like they are worthwhile. Thanks for the info, I was curious and you filled in some blanks.
Eric
On Sun, 2005-05-08 at 19:13 -0700, Eric Frazier wrote: > Hi, > > Does no one use cgi wrap anymore? I thought that the best way to handle> this kind of thing is to run PHP as a CGI first off, and then use something> like wrap to isolate users. Yes, lesser performance, but people running on > shared servers get what they pay for, and it certainly makes sense to take > their security first and performance second. > > Eric > > At 06:55 PM 5/8/2005, Gary W. Smith wrote: > >Here is the explanation as you have already presented it: > > > >All users sites are owned by httpd > >There are multiple user sites, we'll say a-z. > >Site a is running PHPbb with a version known to be buggy. > >Someone issues a hack against site a. The hack says modify site b-z. > >Apache says, why not, I own the files so I can. > >User from site j complains because site is hacked. > > > >The rule of thumb is that apache can edit any file it has read/write > >access to. > > > >What we have done in the past to prevent this. > > > >We have multiple sites running on single boxes and ensure that this > >doesn't happen by having the files owned by the user with read-only > >access to apache (r/w is assigned by the users at their own risk, > >usually only to directories they need to upload to). > > > >If you users fail to update their versions of phpbb there isn't much you > >can but it you are also not responsible for their failure to do so. > > > >We also turn on open base dir per virtual instance (all on one line). > >php_admin_value open_basedir "/tmp: > >/home/whateveruser/html: > >/usr/local/horde: > >/usr/local/lib" > > > >This might help, but it won't hurt! > > > > > ----- Original Message ----- > > > From: "Mathew Thomas" <mathew.thomas@xxxxxxxxxxx> > > > To: <users@xxxxxxxxxxxxxxxx> > > > Sent: Sunday, May 08, 2005 8:23 PM > > > Subject: Re: [users@httpd] Hacked the website replace the index.hm > >page > > > > > > > > > Hi Tim, > > > > > > Could you please explain it bit more. There is no connection between > >the > > > hacked website and phpBB website.( both are different virtual host). > >We > > > are > > > using php version 4.3.9. Do you mean upgrade php? > > > > > > Thanks > > > Mathew > > > > > > > > > >--------------------------------------------------------------------- > >The official User-To-User support forum of the Apache HTTP Server Project. > >See <URL:http://httpd.apache.org/userslist.html> for more info. > >To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > > " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx > >For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
--------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx