WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Mambo, Coppermine and PHPBB Attacks

From: Paul Laudanski <zx () castlecops com>
Date: Sat, 24 Dec 2005 17:24:33 -0500 (EST)
On Sun, 25 Dec 2005, Yasuo Ohgaki wrote:


It's great if this failsafe feature works as expected.
Nobody can guarantee newbie php programmer make such hole in an app.

These changes made allow_url_fopen=off useless.


Its not about a single solution being the silver bullet.  The only 
security is defense in depth.  You build secure code.  You filter input 
and output.  You configure php.ini properly.  You configure httpd.conf 
properly.  Install mod_security.  Install an IDS that filters for well 
known attacks against your server.  Install a reporting tool that monitors 
your logs.  Make sure your PHP reports warnings, errors, and fix them...

Point is... its only a step in the overall level of layered security.  The 
more tools you put up, as you require or can use but only you can 
determine that, the more an attacker has to get thru.

-- 
Paul Laudanski, Microsoft MVP Windows-Security
[cal] http:/events.castlecops.com
[de] http://de.castlecops.com
[en] http://castlecops.com
[wiki] http://wiki.castlecops.com
[family] http://cuddlesnkisses.com
Previous By Date Next
Previous By Thread Next

Current thread: