D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] Apache security flaw - my website cracked

 

Theo Zourzouvillys wrote:
> On Wednesday 19 July 2006 20:02, James Fidell wrote:
>> It's a shame it isn't possible to load both the php4 and php5
>> modules into the same web browser at the same time (at least, if
>> it is, I've found no workable way to do it).  It would make migration
>> so much easier.
> 
> you can using mod_proxy and proxying any .php4 files to a separate server, or 
> vice versa - you can even do on a per customer/domain basis.
>
> of course you need to add a few hacks like X-Originating-IP to ensure that 
> source IP remains the same within the backend scripts, but not too much of a 
> problem.

Agreed, but it's still not a wonderful solution.

> imo it's bad design on PHP's part to break the language and not naturally 
> include backwards compatibility.

Indeed.  But this is PHP :)

> of course, if you're doing shared hosting where there are a lot of (untrusted) 
> users, i really hope they are not running mod_php.  if they are, they need 
> hitting with my security stick, which is actually getting rather dented 
> recently.

Ahh, well, on the systems I look after that do shared hosting and
mod_php I have also modified Apache somewhat so that all scripts,
whether PHP, perl or whatever, run as the site-owner, even where they
are executed within Apache itself (as with mod_php), or using fastcgi or
suexec, along with a few other "modifications".

The machines do still get broken into (allowing anyone to upload any
code they like to a server that supports php is pretty much begging for
this, really), but it doesn't create such a mess when it happens.

There's more I could do even now, but the pain of handholding thousands
of users through the necessary changes hasn't yet been deemed necessary.

James

-- 
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html