Suhosin is PHP specific and operates at that level (at the app level and "protecting" PHP)... mod_security works at a higher level.
On Feb 19, 2010, at 10:25 AM, James Smallacombe wrote: > > After a recent php compromise of the www user on my web server via the Zen > Cart "record company" exploit, I installed the Suhosin extension (patch was > already there). Suhosin helped a great deal. It enabled me to block certain > php functions globally and re-enable them on a per-vhost basis, as needed. > Perhaps just as importantly, it logged violations, along with IP addresses, > which not only enabled me to track down attackers, but also troubleshoot > which vhosts needed which functions to work properly. > > After having customers' content providers patch their respective Zen Carts > and purging/disabling the several c99shells and other nasty scripts uploaded > by kiddies, we found that the patched Zen carts wouldn't function properly > and wasn't logging what part of Suhosin was blocking functionality. Neither > Zen developers nor the Suhosin author responded to requests for a workaround > for this. > > Sadly, there doesn't appear to be any current development or support for the > Suhosin extension, no forum or mailing list. This leaves one wondering what > the best way is to manage php (and other) security on the web server. Does > mod_security allow some of the same funtionality, and is there current > support and development of it? What's the best current practive WRT Apache > and php security? > > TIA, > > James Smallacombe PlantageNet, Inc. CEO and Janitor > u...@3.am http://3.am > ========================================================================= > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > " from the digest: users-digest-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
