Bugtraq: Re: PHP security (or the lack thereof)

[Neil Neely <neil () frii com>]

On Jun 16, 2006, at 5:21 AM, Darren Reed wrote:

[Funny commentary picking on PHP deleted]

For those of us that have to administer shared hosting servers where  
customers can and do build/install very poorly written web  
applications it can be a full time job trying to protect your  
server.  The fact that the majority of these target PHP is  
interesting, but frankly not really relevant to those of us that need  
to maintain the environment.  Due to the aggressive attempts to  
exploit these web applications we found we needed to do something  
more, and we found an excellent tool that helps out a lot with this,  
at least on servers running apache:
http://www.modsecurity.org/

It is essentially an application layer firewall that blocks certain  
known bad patterns from being passed through to the underlying web  
applications.  This is in no way a substitute for good security  
policies on your web servers and ultimately fixing the underlying  
security problems of the web applications.  When tuned well it can be  
a useful additional layer to help defend your server.  It won't stop  
the underlying application from having terrible logic that is  
exploitable, but as you tune your modsecurity setup over time you can  
at least mitigate some of it.
I just wanted to pass this on in case any admins reading this list  
didn't know about it.  It's really saved us a lot of time and energy.
Cheers,
        Neil