NYCPHP Meetup

NYPHP.org

[nycphp-talk] Basic security question

Paul Reinheimer preinheimer at gmail.com
Wed Jul 14 15:35:00 EDT 2004 

See, if that was convincing enough prospective attacker would spend a
lot of time going after IIS and ASP vulnerabilities that presumably
(in the same form) exist in Apache and php.


paul

On Wed, 14 Jul 2004 15:33:08 -0400, Phillip Powell
<phillip.powell at adnet-sys.com> wrote:
> I can tell you PHP folk up in NY do not work for the US Feds nor for a
> federal contractor, but were you ever to do so, you'd find how horribly
> security measures that deal with the Web fly in the face of
> federally-mandated Section 508 Compliance.
> 
> Augh! You have to put your EMAIL address on your website, how secure is
> THAT???
> 
> I do know of some PHP programmers in DC for the Labor Dept that once
> "spoofed" Apache into interpreting PHP files as ".asp" (and to show
> itself as IIS!) to spoof the higher-ups that everything was in a M$
> environment to "make them happy".
> 
> Phil
> 
> 
> 
> Paul Reinheimer wrote:
> 
> >Every attack wether web or otherwise I have heard about starts with
> >learning as much as you can about the target's systems, then seeking
> >to exploit some either known or unknown security holes in the software
> >that system is running.
> >
> >Knowing that, why reveal anything? Make the potential attacker work
> >for every peice of information they want. Set the apache server string
> >to claim it is some recent release of IIS, tell all the services not
> >to advertise they are running, save your .php files as .exe and tell
> >apache just to interpret apropriatly. etc. Obviously if you choose to
> >run some off the shelf application (ie phpBB) you will let the cat out
> >of the bag, but seperating it to a subdomain may only add to the
> >confusion.
> >
> >Does anyone see any real advantage to this approach?
> >
> >
> >paul
> >_______________________________________________
> >talk mailing list
> >talk at lists.nyphp.org
> >http://lists.nyphp.org/mailman/listinfo/talk
> >
> >
> >
> 
> --
> ---------------------------------------------------------------------------------
> Phil Powell
> Multimedia Programmer
> BPX Technologies, Inc.
> #: (703) 709-7218 x107
> Fax: (703) 709-7219
> 
> _______________________________________________
> talk mailing list
> talk at lists.nyphp.org
> http://lists.nyphp.org/mailman/listinfo/talk
>

More information about the talk mailing list