On Wed, 25 Aug 2010, Gordon Messmer wrote:
To: CentOS mailing list centos@centos.org From: Gordon Messmer yinyang@eburg.com Subject: Re: [CentOS] Strange Apache log entry
On 08/24/2010 04:25 AM, Keith Roberts wrote:
So bolting down PHP really tight should address these hacks?
No. This vulnerability would be in a PHP application. I don't believe you could configure PHP in such a way that this would no longer be a problem.
Hi Gordon.
register_globals is supposed to be off by default - so that should stop any global variables being injected.
; You should do your best to write your scripts so that they do not require ; register_globals to be on; Using form variables as globals can easily lead ; to possible security problems, if the code is not very well thought of. ; http://www.php.net/manual/en/ini.core.php#ini.register-globals register_globals = Off
; open_basedir, if set, limits all file operations to the defined directory ; and below. This directive makes most sense if used in a per-directory ; or per-virtualhost web server configuration file. This directive is ; *NOT* affected by whether Safe Mode is turned On or Off. ; http://www.php.net/manual/en/ini.sect.safe-mode.php#ini.open-basedir ;open_basedir =""
; display_errors ; ; This directive controls whether or not and where PHP will output errors, ; notices and warnings too. Error output is very useful during development, but ; it could be very dangerous in production environments. Depending on the code ; which is triggering the error, sensitive information could potentially leak ; out of your application such as database usernames and passwords or worse. ; It's recommended that errors be logged on production servers rather than ; having the errors sent to STDOUT. ; Possible Values: ; Off = Do not display any errors ; stderr = Display errors to STDERR (affects only CGI/CLI binaries!) ; On or stdout = Display errors to STDOUT ; Default Value: On ; Development Value: On ; Production Value: Off ; http://www.php.net/manual/en/errorfunc.configuration.php#ini.display-errors
; Print out errors (as a part of the output). For production web sites, ; you're strongly encouraged to turn this feature off, and use error logging ; instead (see below). display_errors = OFF
I'm sure there are other things that can be configured to nake this attack much more difficult.
Kind Regards,
Keith
----------------------------------------------------------------- Websites: http://www.php-debuggers.net http://www.karsites.net http://www.raised-from-the-dead.org.uk
All email addresses are challenge-response protected with TMDA [http://tmda.net] -----------------------------------------------------------------