my 2 cents
Anyone with a clue doesn't use /etc/passwd anymore *shadow password file*,
so thats kind of depreciated...
Your php process should not be running as root - typically you will give
apache its own group, and apache + php will only be able to access files
which that group has permission for.
If you are running IIS on Windows, you are pretty screwed. More holes than
a sieve. Change to apache or zeus.
.htaccess files or apache.conf can set .inc or other files not to be passed
to the webbrowser.
You can set it to be restrictive, so only files you specify can get opened
in a browser.
turn off directory browsing in apache for directories without a default
page.
any data passed via the browser interface is suspicious. sanitize it for
your data.
eg if expecting a numeric value, check its numeric and zero it if not.
error checking in the code is good, but try not to show too much info about
the server.
initialise all variables before using them. (in case someone passes
something via get/post that may get used).
if you use any common scripts, change the default passwords - there are a
gazillion sites out there with the default script passwords out there.
use an include file for database access passwords. keep this out of the
webserver directory if possible.
eg (sample example, not a functional one!)
website is in /home/website /home is out of webservers directories.
db.ini saved in /home
<?php
$db_pass="my password";
$db_user="username";
?>
myphppage in /home/website
<?php
require "/home/db.ini";
mysql_connect ($db_pass,$db_user);
?>
common sense gets 99% of things. If the usual holes aren't there the script
kiddies will go to another site with more holes.
Don't forget to also keep up to date with recommended patches for your OS.
Bugtraq.com and securityfocus.com are good places to keep up with both ends
of the stick.
-----Original Message-----
From: Bob [mailto:[EMAIL PROTECTED]]
Sent: August 17, 2001 11:43 AM
To: [EMAIL PROTECTED]
Subject: [PHP] hacks we should know about
hi i found it very helpful to know about hacks such as the below list
and was wondering if anyone had any more dumb mistakes they could tell
us before we make them.
1. http://www.somesite.com/source.php3?url=/etc/passwd
2. http://www.somesite.com?page=../../../../etc/passwd
3. not setting .inc files to be parsed by php
4. setting directory ownership to nobody
_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
