httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eric Frazier ...@kwinternet.com>
Subject RE: [users@httpd] Hacked the website replace the index.hm page
Date Mon, 09 May 2005 02:13:44 GMT
Hi,

Does no one use cgi wrap anymore? I thought that the best way to handle 
this kind of thing is to run PHP as a CGI first off, and then use something 
like wrap to isolate users. Yes, lesser performance, but people running on 
shared servers get what they pay for, and it certainly makes sense to take 
their security first and performance second.

Eric

At 06:55 PM 5/8/2005, Gary W. Smith wrote:
>Here is the explanation as you have already presented it:
>
>All users sites are owned by httpd
>There are multiple user sites, we'll say a-z.
>Site a is running PHPbb with a version known to be buggy.
>Someone issues a hack against site a.  The hack says modify site b-z.
>Apache says, why not, I own the files so I can.
>User from site j complains because site is hacked.
>
>The rule of thumb is that apache can edit any file it has read/write
>access to.
>
>What we have done in the past to prevent this.
>
>We have multiple sites running on single boxes and ensure that this
>doesn't happen by having the files owned by the user with read-only
>access to apache (r/w is assigned by the users at their own risk,
>usually only to directories they need to upload to).
>
>If you users fail to update their versions of phpbb there isn't much you
>can but it you are also not responsible for their failure to do so.
>
>We also turn on open base dir per virtual instance (all on one line).
>php_admin_value open_basedir "/tmp:
>/home/whateveruser/html:
>/usr/local/horde:
>/usr/local/lib"
>
>This might help, but it won't hurt!
>
> > ----- Original Message -----
> > From: "Mathew Thomas" <mathew.thomas@rmit.edu.au>
> > To: <users@httpd.apache.org>
> > Sent: Sunday, May 08, 2005 8:23 PM
> > Subject: Re: [users@httpd] Hacked the website replace the index.hm
>page
> >
> >
> > Hi Tim,
> >
> > Could you please explain it bit more. There is no connection between
>the
> > hacked website and phpBB website.( both are different virtual host).
>We
> > are
> > using php version 4.3.9. Do you mean upgrade php?
> >
> > Thanks
> > Mathew
> >
> >
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message