[WEB SECURITY] Securing apache installation with PHP

Martin Straka straka at fido.cz
Thu May 19 09:52:40 EDT 2005


On Thu, 19 May 2005, Cedric Foll wrote:

> I have to set up a new web server where many users would be able to put
> PHP web pages.
> I would like to harden my setup.
> I've read these great articles http://www.securityfocus.com/infocus/1706

I think these simple mod_security settings from this article:

 SecFilterDefaultAction "deny,log,status:500"
 SecFilter "<(.|\n)+>"

for XSS and:

  SecFilter "'"
  SecFilter "\""

for SQL injection will not protect you (your user websites) againts XSS
and SQL injection attacks, but only create headache for you, because it
will break many valid applications.

Martin Straka

The Web Security Mailing List

The Web Security Mailing List Archives

More information about the websecurity mailing list