apache php security question

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I recently (this morning) had a university sever hacked.
This was a root compromise. The box is now disconnected.

This Suse10.1 linux box runs apache2, php5 and tomcat_4_something.
We haven't had time to examine the logs....to try and figure out
how this happened. We will.

This box is behind a firewall that allows email, ssh, port80 for apache
and port8080 for tomcat only. It seems most likely (just guessing at
this point)
that they must have used a buffer overlow, related to interactive
forms, that
run from both php5/apache and tomcat.

So here's my question:
If this does turn out to be a buffer overflow, how do you avoid this?
We look at GET parameters and (some, not that many actually)
POST parameters.

All of this processing needs to be examined and run through some
sort of a "clean" function, to strip out all but alphanum input.
But what about parameter length and size?

How does that work? Should this proposed new 'clean' function,
for sterilizing all input, also truncate input to a maximum parameter
Or better yet reject over some threshold size.....
How big? ........seems like something that could/should be controlled
in a config file.

Any informative help would be greatly appreciated.

Re: apache php security question

pittendrigh wrote:

Quoted text here. Click to load it
Quoted text here. Click to load it

Its rather unlikely even if you've got something stupid for
LimitRequestBody / LimitRequestFieldSize / post_max_size /

Most likely its just a badly written bit of PHP.

Quoted text here. Click to load it

See above.

Consider installing and configuring mod_security too. Or running behind a
reverse proxy that can log all the traffic.

There's at least one drop-in include file for sanitizing input (OWASP PHP
filters) which you should consider using.



Site Timeline