[WEB SECURITY] Securing apache installation with PHP

Martin Straka straka at fido.cz
Thu May 19 09:52:40 EDT 2005


Hi,

On Thu, 19 May 2005, Cedric Foll wrote:

> I have to set up a new web server where many users would be able to put
> PHP web pages.
>
> I would like to harden my setup.
>
> I've read these great articles http://www.securityfocus.com/infocus/1706

I think these simple mod_security settings from this article:

 SecFilterDefaultAction "deny,log,status:500"
 SecFilter "<(.|\n)+>"

for XSS and:

  SecFilter "'"
  SecFilter "\""

for SQL injection will not protect you (your user websites) againts XSS
and SQL injection attacks, but only create headache for you, because it
will break many valid applications.

Regards,
Martin Straka



---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list