Site security

Discussion in 'General' started by SamTzu, Oct 19, 2011.

  1. SamTzu

    SamTzu Member

    %00 is known as a "poison null byte" attack. "Response 200" is not what we want to see. System commands can be included after that line.

    Check if you can see your page with this command after the domain part...
    Easy way to prevent this is to include this line in the .htaccess file.
    I have been meaning to address this problem. Should 'Perfect Server' also have mod_security installed and enabled? Or can we include that RewriteCond on server level in the Apache config?

    You can install mod_security in Debian with these commands...
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    The above example is not directly related to ispconfig or the use of ispconfig on a server, this is a general issue on site security for PHP scripts, just to make this clear to other readers.

    If a php application allows such queries, then the php app has a bug as php apps should never include or access content that is passed to them as get variable without sanitizing the content. Nevertheless, I'am aware that such apps still exists. In ISPConfig, there is already a open_basedir restriction set for every website that restricts access to the web directory, so opening a file in /proc with php fopen or include / require functions should not be possible in the default configuration.

    I just did a small test with this php file:


    and the output is as expected:

    Warning: include() [function.include]: open_basedir restriction in effect. File(../../../../../../../../../../../../../../../proc/self/environ\0) is not within the allowed path(s): (/var/www/clients/client1/web1/web:/var/www/clients/client1/web1/tmp:/usr/share/php5) in /var/www/clients/client1/web1/web/test.php on line 2

    You can enhance this protection by installing mod_security as you described in your post or add some apache directives and I really recommend that. I'am not sure what the performance impact of using mod_security on a server is, this should be evaluated to make a decision if we should include that in the default perfcet setup install or if its better to make a new general tutorial on techniques to secure php websites where we can explain in detail the pros and cons of the various options.
    Last edited: Oct 19, 2011
  3. pititis

    pititis Member

    Modsecurity without rules don't help. It's very good mod. Impact on servers is usually memory, more rules more memory. Base rules are ok and memory use is acceptable. Ispconfig with open base restrictions, fastcgi and some php functions disabled is secure but again rfi, sql inyection, etc in some insecure aplications from any customer can be a disaster and that is because I use modsecurity.

    Thanks for the report SamTzu!
  4. erosbk

    erosbk New Member

  5. SamTzu

    SamTzu Member

    That link should give error message.
    Easy way to fix the site is to use the .htaccess rule to prevent poison.

Share This Page