| 1 |
Actually, I'd be pretty interested in what you have to rant about PHP. |
| 2 |
I run apache with php_mod installed and have the http port open. Is |
| 3 |
there a security risk I should be aware of? |
| 4 |
|
| 5 |
Thanks |
| 6 |
|
| 7 |
On 2/22/07, Alan McKinnon <alan@××××××××××××××××.za> wrote: |
| 8 |
> On Thursday 22 February 2007, Michael Sullivan wrote: |
| 9 |
> |
| 10 |
> > Also, I've always heard that you shouldn't |
| 11 |
> > have any ports open on your machine unless you have some server bound |
| 12 |
> > to that port because hackers can get in through unbound open ports. |
| 13 |
> > Is this true? If so, how does it work? |
| 14 |
> |
| 15 |
> That sounds like something out of Hollywod, perhaps that atrocious movie |
| 16 |
> called Hackers with Angelina Jolie in it..... |
| 17 |
> |
| 18 |
> I fail to see how, in this universe, you can open a port and not have |
| 19 |
> something listen on it. Let's face it: a process, or the kernel itself, |
| 20 |
> asks to be informed about packets arriving for port X. What is port X? |
| 21 |
> It's a number in the TCP/UDP packet so the receiving kernel knows which |
| 22 |
> process to send the data to. If that process is not listening, the |
| 23 |
> packets go ... nowhere. They don't have magic Gandalfs inside them that |
| 24 |
> suddenly sprout up and do l33t h4x0r sh1t to your machine. |
| 25 |
> |
| 26 |
> Maybe there's some default behaviour the kernel applies to packets that |
| 27 |
> are sent to hung/sleeping/absent processes. Maybe that default |
| 28 |
> behaviour is such that there's a buffer overflow waiting to be |
| 29 |
> exploited. Maybe... I think I wanna see the code and not some bullshit |
| 30 |
> posted on an arb blog somewhere. |
| 31 |
> |
| 32 |
> You should be much more worried about vulnerabilities in known software |
| 33 |
> that you don't really use that are running by default. |
| 34 |
> |
| 35 |
> By far the most common attack vector is weak user names and passwords |
| 36 |
> accessed via ssh. Solution is a sensbile password policy, or allow ssh |
| 37 |
> access only via keys. |
| 38 |
> |
| 39 |
> Then there's php, but I don't think you want to get me started on |
| 40 |
> that... |
| 41 |
> |
| 42 |
> alan |
| 43 |
> |
| 44 |
> -- |
| 45 |
> Optimists say the glass is half full, |
| 46 |
> Pessimists say the glass is half empty, |
| 47 |
> Developers say wtf is the glass twice as big as it needs to be? |
| 48 |
> |
| 49 |
> Alan McKinnon |
| 50 |
> alan at linuxholdings dot co dot za |
| 51 |
> +27 82, double three seven, one nine three five |
| 52 |
> -- |
| 53 |
> gentoo-user@g.o mailing list |
| 54 |
> |
| 55 |
> |
| 56 |
|
| 57 |
|
| 58 |
-- |
| 59 |
-·=»Ðŧħ«=·- |
Archives