[CentOS] Strange Apache log entry

Thu Aug 26 10:29:17 UTC 2010
Keith Roberts <keith at karsites.net>

On Wed, 25 Aug 2010, Gordon Messmer wrote:

> To: CentOS mailing list <centos at centos.org>
> From: Gordon Messmer <yinyang at eburg.com>
> Subject: Re: [CentOS] Strange Apache log entry
> 
> On 08/24/2010 04:25 AM, Keith Roberts wrote:
>>
>> So bolting down PHP really tight should address these hacks?
>
> No.  This vulnerability would be in a PHP application.  I don't believe
> you could configure PHP in such a way that this would no longer be a
> problem.

Hi Gordon.

register_globals is supposed to be off by default - so that 
should stop any global variables being injected.

; You should do your best to write your scripts so that they do not require
; register_globals to be on;  Using form variables as globals can easily lead
; to possible security problems, if the code is not very well thought of.
; 
http://www.php.net/manual/en/ini.core.php#ini.register-globals
register_globals = Off

; open_basedir, if set, limits all file operations to the defined directory
; and below.  This directive makes most sense if used in a per-directory
; or per-virtualhost web server configuration file. This directive is
; *NOT* affected by whether Safe Mode is turned On or Off.
; 
http://www.php.net/manual/en/ini.sect.safe-mode.php#ini.open-basedir
;open_basedir =""

; display_errors
;
; This directive controls whether or not and where PHP will output errors,
; notices and warnings too. Error output is very useful during development, but
; it could be very dangerous in production environments. Depending on the code
; which is triggering the error, sensitive information could potentially leak
; out of your application such as database usernames and passwords or worse.
; It's recommended that errors be logged on production servers rather than
; having the errors sent to STDOUT.
; Possible Values:
;   Off = Do not display any errors
;   stderr = Display errors to STDERR (affects only CGI/CLI binaries!)
;   On or stdout = Display errors to STDOUT
; Default Value: On
; Development Value: On
; Production Value: Off
; 
http://www.php.net/manual/en/errorfunc.configuration.php#ini.display-errors

; Print out errors (as a part of the output).  For production web sites,
; you're strongly encouraged to turn this feature off, and use error logging
; instead (see below).
display_errors = OFF

I'm sure there are other things that can be configured to 
nake this attack much more difficult.

Kind Regards,

Keith

-----------------------------------------------------------------
Websites:
http://www.php-debuggers.net
http://www.karsites.net
http://www.raised-from-the-dead.org.uk

All email addresses are challenge-response protected with
TMDA [http://tmda.net]
-----------------------------------------------------------------