httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jerry K <apache...@oryx.us>
Subject Re: [users@httpd] Suhosin vs. mod_security
Date Wed, 21 Oct 2015 20:01:25 GMT

Yep, I'm replying to a very old thread.

.......................................


OP, I am just wondering if you resolved your issue here, and if you are still 
using Suhosin?

If not, did you move to mod_security, as other repliers had suggested, or 
something else?

thank you,

Jerry



On 02/19/10 09:25 AM, James Smallacombe wrote:
>
> After a recent php compromise of the www user on my web server via the Zen Cart
> "record company" exploit, I installed the Suhosin extension (patch was already
> there).  Suhosin helped a great deal.  It enabled me to block certain php
> functions globally and re-enable them on a per-vhost basis, as needed.  Perhaps
> just as importantly, it logged violations, along with IP addresses, which not
> only enabled me to track down attackers, but also troubleshoot which vhosts
> needed which functions to work properly.
>
> After having customers' content providers patch their respective Zen Carts and
> purging/disabling the several c99shells and other nasty scripts uploaded by
> kiddies, we found that the patched Zen carts wouldn't function properly and
> wasn't logging what part of Suhosin was blocking functionality. Neither Zen
> developers nor the Suhosin author responded to requests for a workaround for this.
>
> Sadly, there doesn't appear to be any current development or support for the
> Suhosin extension, no forum or mailing list.  This leaves one wondering what the
> best way is to manage php (and other) security on the web server.  Does
> mod_security allow some of the same funtionality, and is there current support
> and development of it?  What's the best current practive WRT Apache and php
> security?
>
> TIA,
>
> James Smallacombe              PlantageNet, Inc. CEO and Janitor
> up@3.am                                http://3.am
> =========================================================================
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message