[CentOS] Strange Apache log entry
Keith Roberts
keith at karsites.net
Thu Aug 26 10:29:17 UTC 2010
On Wed, 25 Aug 2010, Gordon Messmer wrote:
> To: CentOS mailing list <centos at centos.org>
> From: Gordon Messmer <yinyang at eburg.com>
> Subject: Re: [CentOS] Strange Apache log entry
>
> On 08/24/2010 04:25 AM, Keith Roberts wrote:
>>
>> So bolting down PHP really tight should address these hacks?
>
> No. This vulnerability would be in a PHP application. I don't believe
> you could configure PHP in such a way that this would no longer be a
> problem.
Hi Gordon.
register_globals is supposed to be off by default - so that
should stop any global variables being injected.
; You should do your best to write your scripts so that they do not require
; register_globals to be on; Using form variables as globals can easily lead
; to possible security problems, if the code is not very well thought of.
;
http://www.php.net/manual/en/ini.core.php#ini.register-globals
register_globals = Off
; open_basedir, if set, limits all file operations to the defined directory
; and below. This directive makes most sense if used in a per-directory
; or per-virtualhost web server configuration file. This directive is
; *NOT* affected by whether Safe Mode is turned On or Off.
;
http://www.php.net/manual/en/ini.sect.safe-mode.php#ini.open-basedir
;open_basedir =""
; display_errors
;
; This directive controls whether or not and where PHP will output errors,
; notices and warnings too. Error output is very useful during development, but
; it could be very dangerous in production environments. Depending on the code
; which is triggering the error, sensitive information could potentially leak
; out of your application such as database usernames and passwords or worse.
; It's recommended that errors be logged on production servers rather than
; having the errors sent to STDOUT.
; Possible Values:
; Off = Do not display any errors
; stderr = Display errors to STDERR (affects only CGI/CLI binaries!)
; On or stdout = Display errors to STDOUT
; Default Value: On
; Development Value: On
; Production Value: Off
;
http://www.php.net/manual/en/errorfunc.configuration.php#ini.display-errors
; Print out errors (as a part of the output). For production web sites,
; you're strongly encouraged to turn this feature off, and use error logging
; instead (see below).
display_errors = OFF
I'm sure there are other things that can be configured to
nake this attack much more difficult.
Kind Regards,
Keith
-----------------------------------------------------------------
Websites:
http://www.php-debuggers.net
http://www.karsites.net
http://www.raised-from-the-dead.org.uk
All email addresses are challenge-response protected with
TMDA [http://tmda.net]
-----------------------------------------------------------------
More information about the CentOS
mailing list