[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: From release notes for FC5T3 (web)



On Mon, 2006-03-06 at 22:37 -0600, Bruno Wolff III wrote:
> On Mon, Mar 06, 2006 at 18:59:49 -0500,
>   "Michael H. Warfield" <mhw WittsEnd com> wrote:
> > 
> > 	In the security business, we have and expression for people like you.
> > Those people who use the "install everything" button just because they
> > "might" want something in the future (and then forget they installed it,
> > if they even realize they installed it to begin with).
> > 
> > 	We dub thee "owned".
> 
> There is a big difference between installing everything and running every
> every service that you have installed.
> 
True, but having it installed makes it available to the attacker if the
first line of defense gets breached. If it is not installed then it
cannot be used.  That is why the "owned" moniker applies.

> > action.  And the firewall defaults definitely help.  But what about
> > Apache add ons (like PHP et al).  If you don't know and decide
> 
> Yes, you do need to pay attention to which Apache modules you use, since they
> don't obviously show up as services are easy for a new person to miss and
> are potential security problems. However, that is the exception not the rule.
> 
Not limited to just the modules.  A recent exploit I became aware of
results from php code that allowed global variables and URL injection to
access the system.  A friend's server became a spam bot for the
attacker.  Even though the mail server did not allow relaying, they were
able to send it from the local host and got around that restriction..

Any path is a possible weakness, and one weakness leads to others.  If
the door is not there (package not installed) it cannot be opened.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]