Deployment question: Anyone using modSecurity (or equiv) to ensure hackers keep out of Seaside?
Locked
Deployment question: Anyone using modSecurity (or equiv) to ensure hackers keep out of Seaside?
 
|
I had an issue over the weekend with my main server which is used as my
Seaside front end.. The issue was not related to Seaside at all but was related to me having an instance of RoundCube sitting in my htdocs directory for Apache.. Needless to say there was a security issue with the version of the code I had and someone took advantage of it to run a perl script (via a script/PHP vulnerability) that started sending spam out and sucking up 100% of one of the 4 CPU's on the box.. This manifested itself in that our ISP shutdown our connection and our systems stopped responding to Internet traffic. In poking around I found that our unix server was constantly hammering our router which seemed very odd. Anyway, I obviously found the culprit and have since ensured it would not be hit again. So.. In reviewing the issue involved with this it appears that something like ModSecurity (see links below) and rules from GotRoot.com might help prevent this sort of thing from happening and was curious if anyone running Seaside/Apache combinations has gone down this path to ensure naughty things don't get passed into Seaside if possible.. Obviously I realize that PHP != Smalltalk and that exploits could be different but I'd like to reduce the chances as best I can. Just to be fair & clear, I've got no interest or relation to either of the two organizations below.. I've not even used their stuff yet.. I just want to see if anyone else has gone down this path to ensure your Seaside apps are not being hit for tasks they're not designed for... Links: http://www.modsecurity.org/ http://www.gotroot.com/ _______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
Re: Deployment question: Anyone using modSecurity (or equiv) to ensure hackers keep out of Seaside?
|
|
>>>>> "Rick" == Rick Flower <[hidden email]> writes:
Rick> So.. In reviewing the issue involved with this it appears that something Rick> like ModSecurity (see links below) and rules from GotRoot.com might help Rick> prevent this sort of thing from happening and was curious if anyone Rick> running Seaside/Apache combinations has gone down this path to ensure Rick> naughty things don't get passed into Seaside if possible.. Obviously I Rick> realize that PHP != Smalltalk and that exploits could be different but Rick> I'd like to reduce the chances as best I can. Since Seaside doesn't have any of the things listed at http://www.modsecurity.org/documentation/Securing_Web_Services_with_ModSecurity_2.0.pdf, namely: Variable-length buffer injection Meta character injection SQL injection SOAP fault code disclosure I'm not sure why you think modsecurity would help. Assuming you're using GLORP for most of your sql, and follow best practices for the small stuff that you would handwrite, of course. The reason most PHP suffers from this stuff is that (a) PHP is written in C and (b) many PHP coders are notoriously bad at understanding metacharacters and (c) most PHP coders do not appear to understand SQL placeholders. And SOAP is just bad. :) -- Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 <[hidden email]> <URL:http://www.stonehenge.com/merlyn/> Smalltalk/Perl/Unix consulting, Technical writing, Comedy, etc. etc. See http://methodsandmessages.vox.com/ for Smalltalk and Seaside discussion _______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
Re: Deployment question: Anyone using modSecurity (or equiv) to ensure hackers keep out of Seaside?
|
|
On Mon, February 16, 2009 9:44 am, Randal L. Schwartz wrote:
> Since Seaside doesn't have any of the things listed at > http://www.modsecurity.org/documentation/Securing_Web_Services_with_ModSecurity_2.0.pdf, > namely: > > Variable-length buffer injection > Meta character injection > SQL injection > SOAP fault code disclosure > > I'm not sure why you think modsecurity would help. Well.. Without knowing what the internals of Seaside are doing (and I'm frankly not that interested in knowing -- too many other things to do) or how they're written, I couldn't answer those questions.. Hence my post to the list. Thank you for pointing out that Seaside is not vulnerable to any of the exploits that are listed above.. That's good to know. However, it does not solve my issue since I do have Apache installed and will continue to have at least some PHP code for other things (Squirrelmail,etc) lying around. Perhaps this is true for others as well.. Regardless I guess its good to be kept on your toes for this sort of thing.. -- Rick _______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
Re: Deployment question: Anyone using modSecurity (or equiv) to ensure hackers keep out of Seaside?
|
|
In reply to this post by Randal L. Schwartz
2009/2/16 Randal L. Schwartz <[hidden email]>:
>>>>>> "Rick" == Rick Flower <[hidden email]> writes: > > Rick> So.. In reviewing the issue involved with this it appears that something > Rick> like ModSecurity (see links below) and rules from GotRoot.com might help > Rick> prevent this sort of thing from happening and was curious if anyone > Rick> running Seaside/Apache combinations has gone down this path to ensure > Rick> naughty things don't get passed into Seaside if possible.. Obviously I > Rick> realize that PHP != Smalltalk and that exploits could be different but > Rick> I'd like to reduce the chances as best I can. > > Since Seaside doesn't have any of the things listed at > http://www.modsecurity.org/documentation/Securing_Web_Services_with_ModSecurity_2.0.pdf, > namely: > > Variable-length buffer injection > Meta character injection > SQL injection > SOAP fault code disclosure > > I'm not sure why you think modsecurity would help. > > Assuming you're using GLORP for most of your sql, and follow best practices > for the small stuff that you would handwrite, of course. > > The reason most PHP suffers from this stuff is that (a) PHP is written in C > and (b) many PHP coders are notoriously bad at understanding metacharacters > and (c) most PHP coders do not appear to understand SQL placeholders. And > SOAP is just bad. :) I have seen an arbitrary remote code excution vulnerability in Squeak including SOAP. Except that there was nothing SOAP specific about it. It included something as simple as converting a String to a Boolean. Given the PostgreS Squeak driver doesn't support prepared statements I would be very cautios about any database related statements especially considering that various vulerabilities in PHP can only be solved by passing the character set of the input to the driver or using prepared statements. Glashaus und so. Cheers Philippe _______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
Re: Deployment question: Anyone using modSecurity (or equiv) to ensure hackers keep out of Seaside?
|
|
2009/2/16 Philippe Marschall <[hidden email]>:
> 2009/2/16 Randal L. Schwartz <[hidden email]>: >>>>>>> "Rick" == Rick Flower <[hidden email]> writes: >> >> Rick> So.. In reviewing the issue involved with this it appears that something >> Rick> like ModSecurity (see links below) and rules from GotRoot.com might help >> Rick> prevent this sort of thing from happening and was curious if anyone >> Rick> running Seaside/Apache combinations has gone down this path to ensure >> Rick> naughty things don't get passed into Seaside if possible.. Obviously I >> Rick> realize that PHP != Smalltalk and that exploits could be different but >> Rick> I'd like to reduce the chances as best I can. >> >> Since Seaside doesn't have any of the things listed at >> http://www.modsecurity.org/documentation/Securing_Web_Services_with_ModSecurity_2.0.pdf, >> namely: >> >> Variable-length buffer injection >> Meta character injection >> SQL injection >> SOAP fault code disclosure >> >> I'm not sure why you think modsecurity would help. >> >> Assuming you're using GLORP for most of your sql, and follow best practices >> for the small stuff that you would handwrite, of course. >> >> The reason most PHP suffers from this stuff is that (a) PHP is written in C >> and (b) many PHP coders are notoriously bad at understanding metacharacters >> and (c) most PHP coders do not appear to understand SQL placeholders. And >> SOAP is just bad. :) > > I have seen an arbitrary remote code excution vulnerability in Squeak > including SOAP. Except that there was nothing SOAP specific about it. > It included something as simple as converting a String to a Boolean. > > Given the PostgreS Squeak driver doesn't support prepared statements I > would be very cautios about any database related statements especially > considering that various vulerabilities in PHP can only be solved by > passing the character set of the input to the driver or using prepared > statements. Glashaus und so. And Seaside had also once an XSS vulnerability because we don't use the canvas everywhere. Cheers Philippe _______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
«
Return to Seaside General
|
1 view|%1 views
| Free forum by Nabble | Edit this page |