On Wed, 25 Aug 2010, Gordon Messmer wrote: > To: CentOS mailing list <centos at centos.org> > From: Gordon Messmer <yinyang at eburg.com> > Subject: Re: [CentOS] Strange Apache log entry > > On 08/24/2010 04:25 AM, Keith Roberts wrote: >> >> So bolting down PHP really tight should address these hacks? > > No. This vulnerability would be in a PHP application. I don't believe > you could configure PHP in such a way that this would no longer be a > problem. Hi Gordon. register_globals is supposed to be off by default - so that should stop any global variables being injected. ; You should do your best to write your scripts so that they do not require ; register_globals to be on; Using form variables as globals can easily lead ; to possible security problems, if the code is not very well thought of. ; http://www.php.net/manual/en/ini.core.php#ini.register-globals register_globals = Off ; open_basedir, if set, limits all file operations to the defined directory ; and below. This directive makes most sense if used in a per-directory ; or per-virtualhost web server configuration file. This directive is ; *NOT* affected by whether Safe Mode is turned On or Off. ; http://www.php.net/manual/en/ini.sect.safe-mode.php#ini.open-basedir ;open_basedir ="" ; display_errors ; ; This directive controls whether or not and where PHP will output errors, ; notices and warnings too. Error output is very useful during development, but ; it could be very dangerous in production environments. Depending on the code ; which is triggering the error, sensitive information could potentially leak ; out of your application such as database usernames and passwords or worse. ; It's recommended that errors be logged on production servers rather than ; having the errors sent to STDOUT. ; Possible Values: ; Off = Do not display any errors ; stderr = Display errors to STDERR (affects only CGI/CLI binaries!) ; On or stdout = Display errors to STDOUT ; Default Value: On ; Development Value: On ; Production Value: Off ; http://www.php.net/manual/en/errorfunc.configuration.php#ini.display-errors ; Print out errors (as a part of the output). For production web sites, ; you're strongly encouraged to turn this feature off, and use error logging ; instead (see below). display_errors = OFF I'm sure there are other things that can be configured to nake this attack much more difficult. Kind Regards, Keith ----------------------------------------------------------------- Websites: http://www.php-debuggers.net http://www.karsites.net http://www.raised-from-the-dead.org.uk All email addresses are challenge-response protected with TMDA [http://tmda.net] -----------------------------------------------------------------