httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Jagielski <...@jaguNET.com>
Subject Re: [users@httpd] Suhosin vs. mod_security
Date Fri, 19 Feb 2010 16:43:03 GMT
Suhosin is PHP specific and operates at that level (at the app level
and "protecting" PHP)... mod_security works at a higher level.

On Feb 19, 2010, at 10:25 AM, James Smallacombe wrote:

> 
> After a recent php compromise of the www user on my web server via the Zen Cart "record
company" exploit, I installed the Suhosin extension (patch was already there).  Suhosin helped
a great deal.  It enabled me to block certain php functions globally and re-enable them on
a per-vhost basis, as needed.  Perhaps just as importantly, it logged violations, along with
IP addresses, which not only enabled me to track down attackers, but also troubleshoot which
vhosts needed which functions to work properly.
> 
> After having customers' content providers patch their respective Zen Carts and purging/disabling
the several c99shells and other nasty scripts uploaded by kiddies, we found that the patched
Zen carts wouldn't function properly and wasn't logging what part of Suhosin was blocking
functionality. Neither Zen developers nor the Suhosin author responded to requests for a workaround
for this.
> 
> Sadly, there doesn't appear to be any current development or support for the Suhosin
extension, no forum or mailing list.  This leaves one wondering what the best way is to manage
php (and other) security on the web server.  Does mod_security allow some of the same funtionality,
and is there current support and development of it?  What's the best current practive WRT
Apache and php security?
> 
> TIA,
> 
> James Smallacombe		      PlantageNet, Inc. CEO and Janitor
> up@3.am							    http://3.am
> =========================================================================
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>  "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message