[WEB SECURITY] Securing apache installation with PHP

Michael McDonnell michael at winterstorm.ca
Mon May 23 21:13:35 EDT 2005

Cedric Foll wrote:

>I have to set up a new web server where many users would be able to put
>PHP web pages.
>I would like to harden my setup.
>I've read these great articles http://www.securityfocus.com/infocus/1706
>and http://www.securityfocus.com/infocus/1694.
>I use all advices here and i'm going use mod_security.
>What else can i do to protect my webserver ?
One small suggestion that I don't think has been mentioned is that you 
should modify the default settings for your access logs.  The default 
LogFormat lines for apache look something like:

LogFormat "%a %l %u %t \"%r\" %>s %b" common
LogFormat "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" 

The "%a" tells apache to log the hostname or IP address of the client 
making an HTTP request.  By default apache is configured to log only IPs 
(controlled by the "HostName off" directive).  There are conditions 
under which hostnames will be logged even when "HostName off" is 
configured however (e.g. if you use a domain based access control 
directive, then "HostName off" will be ignored).

The "%a" is a problem because it could potentially expose you to Inverse 
Lookup Logfile Corruption attacks (ILLC).  If apache is performing 
hostname resolution on IP address, then an attacker that controls their 
own reverse domain can make any string show up in the "%a" field.  It is 
best to change the "%a" to "%h" instead.  "%h" will always log the IP 
and never the hostname.

This may seem like unconstrained paranoia however I have seen these 
attacks in the wild.  Sometimes an attacker return HTML or javascript 
instead of a hostname hoping to exploit an XSS vulnerability in web 
stats software.  Other times they will return an IP address instead of a 
hostname to a reverse lookup trying to trick you into thinking another 
IP made the request.

A year or two ago I wrote something for SANS about this with more 
details.  A copy is available at 

Michael McDonnell
michael at winterstorm.ca

The Web Security Mailing List

The Web Security Mailing List Archives

More information about the websecurity mailing list