473,385 Members | 1,351 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > php > questions > apache php security question

Join Bytes to post your question to a community of 473,385 software developers and data experts.

apache php security question

I recently (this morning) had a university sever hacked.
This was a root compromise. The box is now disconnected.

This Suse10.1 linux box runs apache2, php5 and tomcat_4_something.
We haven't had time to examine the logs....to try and figure out
how this happened. We will.

This box is behind a firewall that allows email, ssh, port80 for apache
and port8080 for tomcat only. It seems most likely (just guessing at
this point)
that they must have used a buffer overlow, related to interactive
forms, that
run from both php5/apache and tomcat.

So here's my question:
If this does turn out to be a buffer overflow, how do you avoid this?
We look at GET parameters and (some, not that many actually)
POST parameters.

All of this processing needs to be examined and run through some
sort of a "clean" function, to strip out all but alphanum input.
But what about parameter length and size?

How does that work? Should this proposed new 'clean' function,
for sterilizing all input, also truncate input to a maximum parameter
size?
Or better yet reject over some threshold size.....
How big? ........seems like something that could/should be controlled
in a config file.

Any informative help would be greatly appreciated.

Jan 12 '07 #1
1 1359
pittendrigh wrote:
I recently (this morning) had a university sever hacked.
This was a root compromise. The box is now disconnected.
<snip>
>
So here's my question:
If this does turn out to be a buffer overflow, how do you avoid this?
Its rather unlikely even if you've got something stupid for
LimitRequestBody / LimitRequestFieldSize / post_max_size /
upload_max_filesize

Most likely its just a badly written bit of PHP.
We look at GET parameters and (some, not that many actually)
POST parameters.

All of this processing needs to be examined and run through some
sort of a "clean" function, to strip out all but alphanum input.
But what about parameter length and size?
See above.

Consider installing and configuring mod_security too. Or running behind a
reverse proxy that can log all the traffic.

There's at least one drop-in include file for sanitizing input (OWASP PHP
filters) which you should consider using.

HTH

C.
Jan 13 '07 #2
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

2
apache local test server on XP pro
by: Mike | last post by:
Hello I'm hoping someone can help me with the following. My son is learning PHP and wants to install an apache test server on our XP pro home computer so he can test his code before uploading...
PHP
3
Apache security question?
by: New to PHP | last post by:
I have 3 computers with Ethernet connection to a local router box(SMC7008ABR) and on the wan side to Verizion DSL. I was able to install Apache and PHP on one of the PC with XP Home edition. How...
PHP
2
Smarty gives File does not exist: C:/Program Files/Apache Group/Apache2/htdocs/favicon.ico
by: Mike | last post by:
I am sure that I am making a simple boneheaded mistake and I would appreciate your help in spotting in. I have just installed apache_2.0.53-win32-x86-no_ssl.exe php-5.0.3-Win32.zip...
PHP
1
Php with Apache
by: Daniel Gélinas | last post by:
Hi, Directly from command line on the server, I execute a bash script, that is called from a Php script, with no problem. But when the Php script is called from Apache, I have some...
PHP
0
J2EE Security with Tomcat and Apache Proxy Module
by: Kevin Sagon | last post by:
I am running a J2EE Web App under Tomcat 4.1 with Apache 2.0 proxying requests. Everything is configured and working appropriately however I ran into a problem after configuring J2EE Form...
Java
7
Which Apache?
by: Steevo | last post by:
I am hoping to run a small website from a server in my house. Many people have suggested I use Apache web server and pointed me to: http://www.apache.org/dist/httpd/binaries/win32/ to download...
HTML / CSS
1
IIS and Apache proxy
by: Peter Lundbäck | last post by:
Hi, Maybe this ain't the correct group for this question but i'll give it a try. We have a Apache machine acting as a front-end server to a IIS 6.0 server for security reasons. On the IIS...
ASP.NET
3
apache php cgi install problem
by: Joseph S. | last post by:
Hi, I am trying to install PHP 5.0.4 on Apache 2.0.54 on WinXP Pro SP2 as a cgi binary. Apache2 directory is c:/Apache2 htdocs is c:/Apache2/htdocs php is installed in c:/php This contains...
PHP
6
No CSS or PHP Includes showing on apache localhost site
by: MaiyaHolliday | last post by:
Hello, I've recently installed apache on a new computer, and cannot figure out why my site will not process any includes. (it was working on my old one) There are no errors on the page such as...
Apache Web Server
1
Cloud Servers without Credit Card and Email Registration: A Simpler Way to Get on the Cloud
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
General
0
Wordpress or something else?
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
Content Management Systems
0
isladogs
Access Europe: Command bars, the Access Shortcut Tool and a simple Audit Log - Wed 3 April
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...
General
0
One-click Importing Excel Data into a*Database
by: ryjfgjl | last post by:
In our work, we often need to import Excel data into databases (such as MySQL, SQL Server, Oracle) for data analysis and processing. Usually, we use database tools like Navicat or the Excel import...
Microsoft Excel
0
How to turn on java script in a villaon keypad mobile phone
by: Charles Arthur | last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
Java
0
Basic Javascript concepts
by: aa123db | last post by:
Variable and constants Use var or let for variables and const fror constants. Var foo ='bar'; Let foo ='bar';const baz ='bar'; Functions function $name$ ($parameters$) { } ...
Javascript
0
Batch import of multiple excel files into the database
by: ryjfgjl | last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
Data Management
0
Migrating Website to Cloud - Emmanuel Katto
by: emmanuelkatto | last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel
General
0
BarryA
Navigating the Data Structures and Algorithms (DSA)
by: BarryA | last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
Algorithms / Advanced Math

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!