|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Mambo, Coppermine and PHPBB Attacks
From: ascii (ascii
katamail.com)
Date: Thu Dec 29 2005 - 21:16:23 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Yasuo Ohgaki wrote:
> OWASP guideline may be better to be updated, since allow_url_fopen=off
> is not practical and allow_url_fopen=off does not provide good enough safe guard.
good points
allow_url_fopen and many other functions try to do their best at the
application level
often php is uber hardened while cgi and exec are still allowed
so imho the best combination is:
- try to solve the problem with php settings (url fopen, open basedir,
exec dir, etc) and with apache (the favolous perchild concept :P)
- set up some acl system like selinux or rsbac
- set up grsec and use the group socket restrictions
is there somebody "developing" mpm-perchild?
too late for long emails,
Francesco 'ascii' Ongaro - http://www.ush.it/
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]