| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 16 Jul 2006 19:26:00 -0400 From: "Curt Purdy" <purdy@...man.com> To: "'Neil Neely'" <neil@...i.com>, "'Darren Reed'" <avalon@...igula.anu.edu.au> Cc: <bugtraq@...urityfocus.com> Subject: RE: [lists] Re: PHP security (or the lack thereof) > Neil Neely wrote: > For those of us that have to administer shared hosting > servers where customers can and do build/install very poorly > written web applications it can be a full time job trying to > protect your server. Snip At my the ISP I used to run, we used a "chroot jail" so that every site had its own little bubble that could not be broken through. A cracker could compromise a site and deface it or whatever, but could not traverse to any other location on the server. Therefore a customer could have the most insecure php app around with a back-door in a "free" PHP module they got off the Net and could be embarassed by a cracker but no-one else would suffer including my BSD server. Curt Purdy CISSP, GSNA, GSEC, CNE, MCSE+I, CCDA Information Security Officer Information Systems Security infosysec.net 443.846.4231 ------------- If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- former White House cybersecurity czar Richard Clarke
Powered by blists - more mailing lists