[KLUG Members] PHP hacked

members@kalamazoolinux.org members@kalamazoolinux.org
Fri, 1 Mar 2002 09:22:38 -0500

Previous message: [KLUG Members] PHP hacked
Next message: [KLUG Members] PHP hacked
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>I thought any who run PHP on your servers might want to take a look at
>this.
>http://eletters1.ziffdavis.com/cgi-bin10/flo?y=eOqA0BgFYL0DUm0fPe0AX

Before wide spread panic sets in it should be pointed out that:

1. This effects sites using file upload via POST.  How many publically
accessible sites use file upload?  Can't remember the last time I found one.

2. Features your site doesn't use *SHOULD BE DISABLED*,  so chances are if you
have two nuerons to rub together file upload is already disabled.  If it is not
do it now.  Also use those database connection limiters, etc... in the config
file to draw boundries around what an httpd can do.  This is something you
should do if using PHP, Perl, CGI, Python, Java, etc...

3. Placing an accelerator (squid) in front of apache can elleviate some buffer
overflow issues as you can limit the size of requests, post operations, etc... 
So if your paranoid about such things....  Of course, then maybe they can
exploit squid. :)

-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/

Previous message: [KLUG Members] PHP hacked
Next message: [KLUG Members] PHP hacked
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]