Posted by Colin McKinnon on 01/13/07 00:10

pittendrigh wrote:

> I recently (this morning) had a university sever hacked.
> This was a root compromise. The box is now disconnected.
>
<snip>
>
> So here's my question:
> If this does turn out to be a buffer overflow, how do you avoid this?

Its rather unlikely even if you've got something stupid for
LimitRequestBody / LimitRequestFieldSize / post_max_size /
upload_max_filesize

Most likely its just a badly written bit of PHP.

> We look at GET parameters and (some, not that many actually)
> POST parameters.
>
> All of this processing needs to be examined and run through some
> sort of a "clean" function, to strip out all but alphanum input.
> But what about parameter length and size?

See above.

Consider installing and configuring mod_security too. Or running behind a
reverse proxy that can log all the traffic.

There's at least one drop-in include file for sanitizing input (OWASP PHP
filters) which you should consider using.

HTH

C.

[Back to original message]