[Micronet] PHP security help

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

[Micronet] PHP security help

Paul Mackinney
One of my systems logs is showing the following. I'd appreciate it if someone could help to a) lock down this specific issue, and b) recommend a good source for booking up on PHP security. So far http://www.phpfreaks.com/tutorial/php-security is the best online source I've found.

TIA, PM


 A total of 2 possible successful probes were detected (the following URLs
 contain strings that match one or more of a listing of strings that
 indicate a possible exploit):
 
    //index.php?option=com_product&controller=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP Response 302
    /drupal/?option=com_product&controller=../../../../../../../../../../../../../../../proc/self/environ%2500 HTTP Response 200

--
Paul Mackinney
2111ABC Etcheverry Hall
University of California at Berkeley
Berkeley, CA 94720-1740
510/643-0106
[hidden email]



 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] PHP security help

Aron Roberts
At 10:43 -0700 2010-07-21, Paul Mackinney wrote:
>I'd appreciate it if someone could help to ... b) recommend a good
>source for booking up on PHP security. So far
>http://www.phpfreaks.com/tutorial/php-security is the best online
>source I've found.

   From a Webnet post in mid-2007, noting well that was a full three
years ago :-), but suspecting that some of the major issues may not
have radically changed over that time:

>From Bill Allison, IST Web Applications manager:
>
>>While it's possible to do good PHP development, the language is
>>very forgiving about bad practices and hasn't fostered strong
>>commonality of practices, nomenclature etc., whereas other
>>languages (and their associated frameworks & toolsets) provide more
>>structured and one would hope, safer options. ...
>>
>>For people thinking about doing PHP on campus, I'd recommend the
>>following reading:
>>
>>http://www.devshed.com/c/a/PHP/PHP-Security-Mistakes/
>>
>>Essential PHP Security
>>http://proquest.safaribooksonline.com/059600656X

Aron Roberts
Information Services and Technology

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] PHP security help

billallison
Thanks Aron,

Someone from our team reached out to Paul off-list, so hope that was helpful.  To reiterate, if you haven't looked through the books available (on all kinds of technical topics) via the campus O'Reilly agreement, it's worth checking it out at http://proquest.safaribooksonline.com   

I'd also add that to drive to language/stack-specific security practices, all developers in any language should be conversant with the great materials online at http://www.owasp.org/ and the "Other Resources" section at https://security.berkeley.edu/bp.html

Feel free to email me off-list if you have any other thoughts.  Through partnership with SNS, IST can help campus departments developing web applications access the campus enterprise IBM AppScan security/vulnerability testing tool and provide some help getting started.

-Bill

----
Bill Allison
Senior Manager, Application Services
Information Services & Technology
Chair, Campus IT Architecture Committee

On Jul 21, 2010, at 12:07 PM, Aron Roberts wrote:

> At 10:43 -0700 2010-07-21, Paul Mackinney wrote:
>> I'd appreciate it if someone could help to ... b) recommend a good
>> source for booking up on PHP security. So far
>> http://www.phpfreaks.com/tutorial/php-security is the best online
>> source I've found.
>
>   From a Webnet post in mid-2007, noting well that was a full three
> years ago :-), but suspecting that some of the major issues may not
> have radically changed over that time:
>
>> From Bill Allison, IST Web Applications manager:
>>
>>> While it's possible to do good PHP development, the language is
>>> very forgiving about bad practices and hasn't fostered strong
>>> commonality of practices, nomenclature etc., whereas other
>>> languages (and their associated frameworks & toolsets) provide more
>>> structured and one would hope, safer options. ...
>>>
>>> For people thinking about doing PHP on campus, I'd recommend the
>>> following reading:
>>>
>>> http://www.devshed.com/c/a/PHP/PHP-Security-Mistakes/
>>>
>>> Essential PHP Security
>>> http://proquest.safaribooksonline.com/059600656X
>
> Aron Roberts
> Information Services and Technology
>
>
> -------------------------------------------------------------------------
> The following was automatically added to this message by the list server:
>
> To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:
>
> http://micronet.berkeley.edu
>
> Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.


 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.