httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From James Smallacombe>
Subject [users@httpd] Suhosin vs. mod_security
Date Fri, 19 Feb 2010 15:25:42 GMT

After a recent php compromise of the www user on my web server via the Zen 
Cart "record company" exploit, I installed the Suhosin extension (patch 
was already there).  Suhosin helped a great deal.  It enabled me to block 
certain php functions globally and re-enable them on a per-vhost basis, as 
needed.  Perhaps just as importantly, it logged violations, along with IP 
addresses, which not only enabled me to track down attackers, but also 
troubleshoot which vhosts needed which functions to work properly.

After having customers' content providers patch their respective Zen Carts 
and purging/disabling the several c99shells and other nasty scripts 
uploaded by kiddies, we found that the patched Zen carts wouldn't function 
properly and wasn't logging what part of Suhosin was blocking 
functionality. Neither Zen developers nor the Suhosin author responded to 
requests for a workaround for this.

Sadly, there doesn't appear to be any current development or support for 
the Suhosin extension, no forum or mailing list.  This leaves one 
wondering what the best way is to manage php (and other) security on the 
web server.  Does mod_security allow some of the same funtionality, and is 
there current support and development of it?  What's the best current 
practive WRT Apache and php security?


James Smallacombe		      PlantageNet, Inc. CEO and Janitor	

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message