security: webhosted site and cgi-bin, scripts

Re: security: webhosted site and cgi-bin, scripts

sinister wrote:[color=blue]
> I have a site hosted by a commercial webhosting service. As such, I don't
> have any real control over the webserver (in this case, Apache).
>
> What are the most basic, essential elements of security in this case? My
> impression is that there are two steps:[/color]

(0) Never send sensitive data to the browser (e.g.: passwords coded in a javascript and so on)!!!
[color=blue]
> (1) binaries and scripts should be executable by the webserver, but not
> visible (readable) to the outside world;[/color]
Yes. And consider NOT using binaries/scripts where not necessary.
There are a lot of free HTML precompilers. You can use them on your PC before you download the site.
A good example for Linux/Unix: http://casm.portologic.hu
It even can act as an offline content management system.
[color=blue]
> (2) when writing binaries and scripts, make sure that to constrain what
> actions are taken, and never assume that user data is of some expected form.[/color]
Ack. Always check user entered data. Do not try to filter off invalid characters, but define valid data and accept only that!
[color=blue]
> Is rule #1 always the case, with (for example) Apache? Or do I have to
> worry about the permissions on the directories?[/color]
It depends. AFAIK directory permissions are in hand of webmasters.

[color=blue]
> For what it's worth, I started playing with php, and the system doesn't
> allow php scripts to be placed in cgi-bin.[/color]

Change to PERL or Java! PHP is not too secure (a lot of 0d exploits)!!!
[color=blue]
> (I'm asking these simple, naive questions because most info out there about
> Apache, etc are written for administrators who have control over the Apache
> installation, which I don't have.)[/color]

Search the web for CGI security docs! You will find wery useful ones.
If you will use PERL, find some Perl CGI security guides.
Google will help you.

Re: security: webhosted site and cgi-bin, scripts


"HAL-9000" <hal_9000@NOS PA-M.freemail.hu> wrote in message
news:h4Aqb.2271 26$vL1.2736335@ news.chello.at. ..

HAL-9000,

Thanks for the informative response.
[color=blue]
> sinister wrote:[color=green]
> > I have a site hosted by a commercial webhosting service. As such, I[/color][/color]
don't[color=blue][color=green]
> > have any real control over the webserver (in this case, Apache).
> >
> > What are the most basic, essential elements of security in this case?[/color][/color]
My[color=blue][color=green]
> > impression is that there are two steps:[/color]
>
> (0) Never send sensitive data to the browser (e.g.: passwords coded in a[/color]
javascript and so on)!!!

Right.
[color=blue][color=green]
> > (1) binaries and scripts should be executable by the webserver, but not
> > visible (readable) to the outside world;[/color]
> Yes. And consider NOT using binaries/scripts where not necessary.
> There are a lot of free HTML precompilers. You can use them on your PC[/color]
before you download the site.[color=blue]
> A good example for Linux/Unix: http://casm.portologic.hu
> It even can act as an offline content management system.
>[color=green]
> > (2) when writing binaries and scripts, make sure that to constrain what
> > actions are taken, and never assume that user data is of some expected[/color][/color]
form.[color=blue]
> Ack. Always check user entered data. Do not try to filter off invalid[/color]
characters, but define valid data and accept only that!

Right.
[color=blue][color=green]
> > Is rule #1 always the case, with (for example) Apache? Or do I have to
> > worry about the permissions on the directories?[/color]
> It depends. AFAIK directory permissions are in hand of webmasters.
>
>[color=green]
> > For what it's worth, I started playing with php, and the system doesn't
> > allow php scripts to be placed in cgi-bin.[/color]
>
> Change to PERL or Java! PHP is not too secure (a lot of 0d exploits)!!![/color]

How do you mean by "0d" exploits?
[color=blue][color=green]
> > (I'm asking these simple, naive questions because most info out there[/color][/color]
about[color=blue][color=green]
> > Apache, etc are written for administrators who have control over the[/color][/color]
Apache[color=blue][color=green]
> > installation, which I don't have.)[/color]
>
> Search the web for CGI security docs! You will find wery useful ones.
> If you will use PERL, find some Perl CGI security guides.
> Google will help you.
>[/color]

Re: security: webhosted site and cgi-bin, scripts

sinister wrote:
[color=blue][color=green]
>>Yes. And consider NOT using binaries/scripts where not necessary.
>>There are a lot of free HTML precompilers. You can use them on your PC
>>before you download the site.[/color][/color]

Self correction: I meant upload of course...

[color=blue][color=green][color=darkred]
>>>For what it's worth, I started playing with php, and the system doesn't
>>>allow php scripts to be placed in cgi-bin.[/color]
>>
>>Change to PERL or Java! PHP is not too secure (a lot of 0d exploits)!!![/color]
>
> How do you mean by "0d" exploits?[/color]

Zero Day exploits. Exploits not published. Security problems not known by the developer community. It's an underground security slang. A lot of un*x webservers were cracked with these PHP exploits.

Additional tips:

- Use baselining (check the integrity of your files on a regular basis). An easy way is a scheduled script that checksums every file and looks for checksum differences.

- If you have to use scripts then log script activities, warnings and errors into a logfile.

- Check your logfiles on a regular basis. Even webserver logs if you have access to them.


Happy coding!