[nycphp-talk] Basic security question
Phillip Powell
phillip.powell at adnet-sys.com
Wed Jul 14 15:33:08 EDT 2004
I can tell you PHP folk up in NY do not work for the US Feds nor for a
federal contractor, but were you ever to do so, you'd find how horribly
security measures that deal with the Web fly in the face of
federally-mandated Section 508 Compliance.
Augh! You have to put your EMAIL address on your website, how secure is
THAT???
I do know of some PHP programmers in DC for the Labor Dept that once
"spoofed" Apache into interpreting PHP files as ".asp" (and to show
itself as IIS!) to spoof the higher-ups that everything was in a M$
environment to "make them happy".
Phil
Paul Reinheimer wrote:
>Every attack wether web or otherwise I have heard about starts with
>learning as much as you can about the target's systems, then seeking
>to exploit some either known or unknown security holes in the software
>that system is running.
>
>Knowing that, why reveal anything? Make the potential attacker work
>for every peice of information they want. Set the apache server string
>to claim it is some recent release of IIS, tell all the services not
>to advertise they are running, save your .php files as .exe and tell
>apache just to interpret apropriatly. etc. Obviously if you choose to
>run some off the shelf application (ie phpBB) you will let the cat out
>of the bag, but seperating it to a subdomain may only add to the
>confusion.
>
>Does anyone see any real advantage to this approach?
>
>
>paul
>_______________________________________________
>talk mailing list
>talk at lists.nyphp.org
>http://lists.nyphp.org/mailman/listinfo/talk
>
>
>
--
---------------------------------------------------------------------------------
Phil Powell
Multimedia Programmer
BPX Technologies, Inc.
#: (703) 709-7218 x107
Fax: (703) 709-7219
More information about the talk
mailing list