[ISN] Secure PHP Configuration
InfoSec News
alerts at infosecnews.org
Thu Mar 8 03:08:26 CST 2007
Forwarded with permission from: Security UPDATE <Security_UPDATE (at) list.windowsitpro.com>
PLEASE VISIT OUR SPONSORS, WHO BRING YOU SECURITY UPDATE FOR FREE:
Ontrack Data Recovery: Data loss prevention tips
http://list.windowsitpro.com/t?ctl=4CFB8:57B62BBB09A69279E815B5C43101D5A9
Free White Paper: Address the Insider Threat
http://list.windowsitpro.com/t?ctl=4CFC4:57B62BBB09A69279E815B5C43101D5A9
Podcast: The Inside Story on Forefront Client Security
http://list.windowsitpro.com/t?ctl=4CFAB:57B62BBB09A69279E815B5C43101D5A9
=== CONTENTS ===================================================
IN FOCUS: Secure PHP Configuration
NEWS AND FEATURES
- RFID Hacking Presentation Draws Legal Threats
- 5 Vulnerabilities Kick Off Month of PHP Bugs
- Recent Security Vulnerabilities
GIVE AND TAKE
- Security Matters Blog: Firefox 2.0.0.2 Released--Finally!
- FAQ: Enable Parental Controls in Vista
- Share Your Security Tips
- Microsoft Learning Paths for Security: Securing Your Messaging
Infrastructure
PRODUCTS
- Assess Your Data Vulnerability
- Wanted: Your Reviews of Products
RESOURCES AND EVENTS
FEATURED WHITE PAPER
ANNOUNCEMENTS
=== SPONSOR: Ontrack Data Recovery =============================
Ontrack Data Recovery: Data loss prevention tips
Snow storms, extreme heat, hurricanes... they all have the potential to
interrupt your business and damage your data storage systems. While
your business might never be directly impacted by a natural disaster,
data loss can strike companies anytime and anywhere.
Be prepared by learning how to prevent data loss and what to do when
data loss affects your business.
Ontrack Data Recovery, the world leader in data recovery services and
software, is pleased to offer a FREE e-newsletter that addresses data
loss prevention and response.
Recent topics discussed in Ontrack's Data Recovery News include:
- Seven things to avoid when your drive crashes
- Data recovery options for flash media
- Do-it-yourself data recovery software products
Sign up for the FREE Ontrack Data Recovery Newsletter today:
http://list.windowsitpro.com/t?ctl=4CFB8:57B62BBB09A69279E815B5C43101D5A9
=== IN FOCUS: Secure PHP Configuration =========================
by Mark Joseph Edwards, News Editor, mark at ntsecurity / net
A Month of PHP Bugs was launched March 1. If you missed last week's
editorial about this initiative, you can read it on our Web site at the
URL below. Be sure to also read the related news item "5
Vulnerabilities Kick Off Month of PHP Bugs," which you can link to from
the Security News and Features section below.
http://list.windowsitpro.com/t?ctl=4CFB9:57B62BBB09A69279E815B5C43101D5A9
So far, Stefan Esser has posted several interesting vulnerabilities on
his Month of PHP Bugs site, some of which you can avoid by specific
practices. If you use PHP on your server, then you need to examine its
configuration to make sure you're not overly exposing aspects of the
engine, which could in turn expose your entire system and possibly
other parts of your network.
If your Web system is closed (i.e., you don't allow others to upload or
create any files), your potential security risks are more limited than
if it's open. Either way, you need to take precautions to ensure that
certain functions aren't usable unless you intend for them to be used.
One example is that PHP can allow the use of the exec and shell_exec
functions, which essentially let you run OS commands and retrieve the
output. I've used the shell-exec function to good advantage. I had an
account with a Web hosting company, which had a server that would
frequently slow to a crawl, making nearly all access impossible. I grew
tired of the support staff's vague explanations and decided to
investigate the problem myself.
With the help of the shell_exec function (and a few others), I could
use PHP to look at a lot of the server's operational characteristics. I
discovered the bottleneck, contacted support, and alluded to the
problem. I figure the support team members scratched their heads for a
couple months wondering how I knew what was happening before they
finally wised up and disabled the shell_exec function.
In another example, I signed up for a blog at a popular site, which
will remain unnamed here. I wanted specific blog functionality that
wasn't available, so I went to work on a way around the limitations. I
discovered that this site too allowed dangerous functions to operate.
With a little work, I could navigate nearly the entire server disk
subsystem at will, read configuration files, discover path information,
and then manipulate my blog to gain the functionality I wanted by using
the information I had gathered to enable my custom scripts to run.
Eventually, the site staff figured out what was happening and disabled
many dangerous functions.
In addition to exec and shell-exec, some dangerous PHP functions are
suexec, passthru, proc_open, proc_close, proc_get-status, proc_nice,
proc_terminate, system, popen, pclose, dl, ini_set, virtual,
set_time_limit, apache_child_terminate, posix_kill, posix_mkfifo,
posix_setpgid, posix_setsid, posix_setuid, escapeshellcmd, and
escapeshellarg. Go to this URL for other potentially dangerous
functions:
http://list.windowsitpro.com/t?ctl=4CFAF:57B62BBB09A69279E815B5C43101D5A9
You can disable functions by adding (or editing) a line in your php.ini
file like this:
disable_functions = "shell_exec, suexec, passthru"
More help for configuring PHP can be found at these URLs:
Ayman Hourieh's Blog
http://list.windowsitpro.com/t?ctl=4CFB4:57B62BBB09A69279E815B5C43101D5A9
WEB-DOT-DEV--PHP Configuration
http://list.windowsitpro.com/t?ctl=4CFAE:57B62BBB09A69279E815B5C43101D5A9
PHP Manual
http://list.windowsitpro.com/t?ctl=4CFC1:57B62BBB09A69279E815B5C43101D5A9
PHP Security Consortium's PhpSecInfo
http://list.windowsitpro.com/t?ctl=4CFC3:57B62BBB09A69279E815B5C43101D5A9
Finally, a good resource with lots of other links (including books) is
available at the PHP Security Consortium's Web site:
http://list.windowsitpro.com/t?ctl=4CFC7:57B62BBB09A69279E815B5C43101D5A9
=== SPONSOR: NetIQ =============================================
Free White Paper: Address the Insider Threat
Learn how to develop a comprehensive management system that
virtually eliminates the risk of an insider threat. Co-authored by
NetIQ and Dr. Eric Cole, this informative white paper identifies the
key business processes that must be secured and ready to build a
solution to contain the insider threat
http://list.windowsitpro.com/t?ctl=4CFC4:57B62BBB09A69279E815B5C43101D5A9
=== SECURITY NEWS AND FEATURES =================================
RFID Hacking Presentation Draws Legal Threats
IOActive, a consulting firm that specializes in information risk
management and application security analysis, was slated to give a
presentation on RFID hacking at the Black Hat DC Briefings last week;
however the presentation was withdrawn due to controversy.
http://list.windowsitpro.com/t?ctl=4CFBA:57B62BBB09A69279E815B5C43101D5A9
5 Vulnerabilities Kick Off Month of PHP Bugs
Of the first five vulnerabilities posted by Stefan Esser, two could
cause a system crash, one could cause maximum CPU usage thereby
creating a Denial of Service (DoS) condition, and two can be exploited
to cause data overflow conditions.
http://list.windowsitpro.com/t?ctl=4CFB6:57B62BBB09A69279E815B5C43101D5A9
Recent Security Vulnerabilities
If you subscribe to this newsletter, you also receive Security
Alerts, which inform you about recently discovered security
vulnerabilities. You can also find information about these
discoveries at
http://list.windowsitpro.com/t?ctl=4CFB0:57B62BBB09A69279E815B5C43101D5A9
=== SPONSOR: Core Security =====================================
Podcast: The Inside Story on Forefront Client Security
Are all of your malware definitions completely up to date? If they
are, then you are halfway home to total malware protection. Windows
Vista may be the most secure Microsoft OS ever released, but malware is
constantly evolving, and sometimes out-of-the-box security just isn't
enough. In this exclusive podcast, Windows IT Pro Research and Strategy
Director Karen Forster interviews Microsoft Product Manager Josue
Fontanez about Microsoft's unified malware protection package:
Forefront Client Security.
http://list.windowsitpro.com/t?ctl=4CFAB:57B62BBB09A69279E815B5C43101D5A9
=== GIVE AND TAKE ==============================================
SECURITY MATTERS BLOG: Firefox 2.0.0.2 Released--Finally!
by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=4CFC0:57B62BBB09A69279E815B5C43101D5A9
Mozilla Foundation released Firefox 2.0.0.2, fixing many security bugs
along with other annoying problems.
http://list.windowsitpro.com/t?ctl=4CFBB:57B62BBB09A69279E815B5C43101D5A9
FAQ: Enable Parental Controls in Vista
by John Savill, http://list.windowsitpro.com/t?ctl=4CFBE:57B62BBB09A69279E815B5C43101D5A9
Q: How do I enable the Windows Vista Parental Controls feature on a
domain-joined machine?
Find the answer at
http://list.windowsitpro.com/t?ctl=4CFB5:57B62BBB09A69279E815B5C43101D5A9
SHARE YOUR SECURITY TIPS AND GET $100
Share your security-related tips, comments, or problems and
solutions in Security Pro VIP's Reader to Reader column. Email your
contributions to r2r at securityprovip.com. If we print your submission,
you'll get $100. We edit submissions for style, grammar, and length.
MICROSOFT LEARNING PATHS FOR SECURITY: Securing Your Messaging
Infrastructure
These resources provide guidance on securing your messaging
infrastructure, including best practices for message hygiene
technologies and configuration strategies. You'll also get an in-depth
look at the Microsoft Forefront line of business security products,
which help protect application servers such as Microsoft Exchange
Server 2007, Microsoft Office SharePoint Server 2007, and Microsoft
Office Communications Server 2007.
http://list.windowsitpro.com/t?ctl=4CFBC:57B62BBB09A69279E815B5C43101D5A9
=== PRODUCTS ===================================================
by Renee Munshi, products at windowsitpro.com
Assess Your Data Vulnerability
Scentric announced the availability of the Data Privacy Assessment
Tool, which you can download and use for 30 days if you register on the
Scentric Web site. The tool classifies files on laptops, desktops, and
file servers, discovering data from several preset categories,
including confidential, copyright, credit cards, Social Security
numbers, payroll, and health. After you determine your level of
vulnerability, you can use Scentric Destiny Enterprise Suite for Data
Privacy to enforce policies. The Destiny Enterprise Suite includes a
classification engine, support for major file types including Microsoft
Exchange email, and prebuilt rule sets that provide automated
operations and a foundation for protecting sensitive information. For
more information, go to
http://list.windowsitpro.com/t?ctl=4CFC8:57B62BBB09A69279E815B5C43101D5A9
WANTED: your reviews of products you've tested and used in
production. Send your experiences and ratings of products to
whatshot at windowsitpro.com and get a Best Buy gift certificate.
=== RESOURCES AND EVENTS =======================================
For more security-related resources, visit
http://list.windowsitpro.com/t?ctl=4CFBD:57B62BBB09A69279E815B5C43101D5A9
Every business faces risk. Have you properly assessed your company's
risk and put a focus on business continuity? Attend this free, on-
demand Web seminar to learn how you can ensure seamless recovery of
your key systems and keep your users continuously connected.
http://list.windowsitpro.com/t?ctl=4CFAA:57B62BBB09A69279E815B5C43101D5A9
Because a secure email and messaging infrastructure is fundamental to
your business, every organization needs to plan from the start for
three fundamental email and messaging management services: security,
availability, and control services. This eBook explains how to
implement those services in a Microsoft-centric email and messaging
environment. Download now!
http://list.windowsitpro.com/t?ctl=4CFAC:57B62BBB09A69279E815B5C43101D5A9
Windows + UNIX/Linux = You Need TechX World!
If you work in an environment that includes Windows plus UNIX or
Linux, TechX World is the place to go for practical strategies and
resources to add to your toolkit. This one-day technical training event
will teach you how to make the most of open-source tools on Windows and
how to manage and sync multiple directories. Register today!
http://list.windowsitpro.com/t?ctl=4CFB7:57B62BBB09A69279E815B5C43101D5A9
=== FEATURED WHITE PAPER =======================================
Do you want to block unwanted or undesirable email? Download this free
white paper to learn how to manage the content of messages traveling
your network.
http://list.windowsitpro.com/t?ctl=4CFAD:57B62BBB09A69279E815B5C43101D5A9
=== ANNOUNCEMENTS ==============================================
Introducing a Unique Security Resource
Security Pro VIP is an online information center that delivers new
articles every week on topics such as perimeter security,
authentication, and system patches. Subscribers also receive tips,
cautionary advice, direct access to our editors, and a host of other
benefits! Order now at an exclusive charter rate and save up to $50!
http://list.windowsitpro.com/t?ctl=4CFB1:57B62BBB09A69279E815B5C43101D5A9
Grab Your Share of the Spotlight!
Nominate yourself or a peer to become IT Pro of the Month. This is
your chance to get the recognition you deserve! Winners will receive
over $600 in IT resources and be featured in Windows IT Pro. It's easy
to enter--we're accepting April nominations now, but only for a limited
time! Submit your nomination today:
http://list.windowsitpro.com/t?ctl=4CFC2:57B62BBB09A69279E815B5C43101D5A9
================================================================
Security UDPATE is brought to you by the Windows IT Pro Web site's
Security page (first URL below) and Security Pro VIP (second URL
below).
http://list.windowsitpro.com/t?ctl=4CFBF:57B62BBB09A69279E815B5C43101D5A9
http://list.windowsitpro.com/t?ctl=4CFC6:57B62BBB09A69279E815B5C43101D5A9
Subscribe to Security UPDATE at
http://list.windowsitpro.com/t?ctl=4CFB3:57B62BBB09A69279E815B5C43101D5A9
Be sure to add Security_UPDATE at list.windowsitpro.com
to your antispam software's list of allowed senders.
To contact us:
About Security UPDATE content -- letters at windowsitpro.com
About technical questions -- http://list.windowsitpro.com/t?ctl=4CFC5:57B62BBB09A69279E815B5C43101D5A9
About your product news -- products at windowsitpro.com
About your subscription -- windowsitproupdate at windowsitpro.com
About sponsoring Security UPDATE -- salesopps at windowsitpro.com
View the Windows IT Pro privacy policy at
http://list.windowsitpro.com/t?ctl=4CFB2:57B62BBB09A69279E815B5C43101D5A9
Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department
Copyright 2007, Penton Media, Inc. All rights reserved.
More information about the ISN
mailing list