lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Mon Jun 20 14:55:13 2005
From: sesser at hardened-php.net (Stefan Esser)
Subject: full-disclosure@...ts.grok.org.uk

Hello,

if you want to fully protect your customers against each other you need to use
a CGI like implementation. If you have only a few separated vhosts you can also
try to have one httpd per customer and a reverse proxy... 

If you do not want this, you should alteast perform the following steps

	1) chroot the httpd (and remove absolutely everything not needed)
	2) move all document root and tmp (upload/session) dirs per vhost
           to some unguessable location
           like /sites/[md5hash-here]/..../htdocs
	3) Make the /sites directory not readable by the webserver
           (so no enumeration is possible)
        4) Patch PHP so that paths are not disclosed in phpinfo()/errormessages
           (or atleast the md5 component)
        5) ohh yeah and of course have your httpd.conf at some unguessable
           place
        6) disable ALL functions that could execute shell commands
           (if that is not possible, then bad luck)
        7) Finally pray that your users do not install scripts that print
           out the content of __FILE__ on error and so disclose their paths

	8) *Remind yourself that this setup is not foolproof*


Stefan Esser

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ