May 30
I just got something in my old ct 'browsed magazines and came across the issue 26/2006 on the very interesting article Web application security. It is once again in detail the currently common attacks, such as
- Cross Site Scripting
- Remote Code Execution and
- SQL injection
explained. Especially web 2.0 applications are vulnerable, because here you can play the entire attack on the user's computer.
Most shared web hosting services are based on PHP. A major problem with PHP is that the safety rules (in php.ini) can only be global, not for each application set several at once. Therefore, often the safety parameters are adjusted less to run the scripts of the customers. The most important parameters for safety are:
| Parameter | Description |
|---|
| register_globals = off | prevents variable assignments in HTTP requests and cookies global program variables override |
| allow_url_fopen = off | makes sure that PHP scripts can incorporate only local files on the server |
| safe-mode = on | causes, among other things, that the PHP process can access only files and directories that belong to the user, runs with the privileges of the PHP process |
| open_basedir = / path / to / www folder | specifies a directory, open outside the PHP scripts can not files. |
| display_errors = off | In case of errors in PHP scripts, the PHP suppresses its own error message, include inter alia the file system path to the web application is |
Source ct '26/2006
The online resource for articles are very interesting:
- Online demonstration known XSS vulnerabilities
- Details on the vulnerability in the T-Online Career Forum ( now fixed )
- Explanation of SQL injection on Wikipedia
- PHP Manual
- Backup extension for Apache suEXEC
- Documentation for the PHP safe mode
- Secure Web server with mod_security
I just got something in my old ct 'browsed magazines and came across the issue 26/2006 on the very interesting article Web application security. It is once again in detail the currently popular attacks such as Cross Site Scripting and SQL Injection Remote Code Execution explained. Especially web 2.0 applications are vulnerable, because here you can play the entire attack on the user's computer. Most shared web hosting services are based on PHP. A major problem with PHP is that the safety rules (in php.ini) can only be global, not for each application set several at once. Therefore, often the safety parameters are adjusted less to run the scripts of the customers. The most important parameters for safety: table.settings, table.settings th, table.settings td {border: 1px solid black} table.settings {border-collapse: collapse} Parameter Description register_globals = off prevents that variable assignments in HTTP requests and Cookies global program variables override allow_url_fopen = off makes sure that PHP scripts can incorporate only local files on the server safe-mode = on causes, among other things, that the PHP process only has access to files and directories that belong to the user whose privileges The PHP process runs open_basedir = / path / to / www folder specifies a directory, open outside the PHP scripts can not write files. display_errors = off case of errors in PHP scripts, PHP suppresses its own error message, include inter alia the file system path to the web application's source ct '26/2006 Also, the online resource for articles are very interesting online demonstration known XSS vulnerabilities details gap in the T-Online Career Forum (now fixed) Explanation of SQL injection in Wikipedia to secure PHP manual backup extension for Apache suEXEC documentation for PHP web server with safe mode mod_security
gklinkmann written by \ \ tags: java , php
Add a comment
