Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Posted on
- apache php security question
January 12, 2007, 4:32 pm
rate this thread
This was a root compromise. The box is now disconnected.
This Suse10.1 linux box runs apache2, php5 and tomcat_4_something.
We haven't had time to examine the logs....to try and figure out
how this happened. We will.
This box is behind a firewall that allows email, ssh, port80 for apache
and port8080 for tomcat only. It seems most likely (just guessing at
that they must have used a buffer overlow, related to interactive
run from both php5/apache and tomcat.
So here's my question:
If this does turn out to be a buffer overflow, how do you avoid this?
We look at GET parameters and (some, not that many actually)
All of this processing needs to be examined and run through some
sort of a "clean" function, to strip out all but alphanum input.
But what about parameter length and size?
How does that work? Should this proposed new 'clean' function,
for sterilizing all input, also truncate input to a maximum parameter
Or better yet reject over some threshold size.....
How big? ........seems like something that could/should be controlled
in a config file.
Any informative help would be greatly appreciated.
Re: apache php security question
Its rather unlikely even if you've got something stupid for
LimitRequestBody / LimitRequestFieldSize / post_max_size /
Most likely its just a badly written bit of PHP.
Consider installing and configuring mod_security too. Or running behind a
reverse proxy that can log all the traffic.
There's at least one drop-in include file for sanitizing input (OWASP PHP
filters) which you should consider using.