Quote:
Originally Posted by RedhatLearner
with only a limited knowledge of php I have become stuck rather quickly.
|
Then I urge you (do not read that as "ask" or "suggest") to search for current, maintained and supported packages that already provide (parts) of what you need. Not only will it save you time but it will also mean you can ask for support and implies it will have better testing and security than you can come up with (with all due respect). See Freshmeat, Sourceforge and Nongnu.
If you still want to go the "home brew" way, good luck, and here's some unsorted questions / comments for you:
- How do you verify any user input doesn't include chars you should exclude?
- How do you react to illegal input? Scrub or deny?
- What's the time between account creation and upload readiness?
- Do you detect "free" email providers and woudl that be a good thing?
- Do you detect username iterations? Should you?
- Do you intend to allow these services only over SSL? Why not?
- What's the maximum amount of files a user can dump on the system? Per file filesize? How do you check that? How often?
- Vsftpd allows you to create "virtual" users. A FTP-only account doesn't need an account on the system.
- Does processing the datafeed include a validity check? Why not?
I'll leave you with some links (from the
LQ FAQ: Security references) that may or may not make for an interesting read:
Apache
Web Security Appliance With Apache and mod_security (SF):
http://www.securityfocus.com/infocus/1739
Securing Apache Step-by-Step:
http://www.securityfocus.com/infocus/1694
Securing apache2:
http://www.securityfocus.com/infocus/1786
Suexec
Apache suEXEC Support:
http://httpd.apache.org/docs/1.3/suexec.html
HOWTO Install PHP with SuExec:
http://gentoo-wiki.com/HOWTO_Install_PHP_with_SuExec
HOWTO Install PHP as CGI with Apache's suEXEC Feature:
http://archiv.debianhowto.de/en/php_cgi/c_php_cgi.html
How to set up suexec to work with virtual hosts and PHP (+PHP +public_html patch):
http://alain.knaff.lu/howto/PhpSuexec/
PHP
PHP and the OWASP Top Ten Security Vulnerabilities:
http://www.sklar.com/page/article/owasp-top-ten
Top 7 PHP Security Blunders:
http://www.sitepoint.com/print/php-security-blunders
PHP Security Guide:
http://phpsec.org/projects/guide/ (PHP Security Library:
http://phpsec.org/library/)
PHPsec.org Security Guide considered harmful:
http://www.hardened-php.net/php_secu...armful.51.html
PHP: Preventing register_global problems:
http://www.modsecurity.org/documenta...r-globals.html
Securing PHP Step-by-Step:
http://www.securityfocus.com/infocus/1706
PHP Security:
http://www.onlamp.com/pub/a/php/2003...undations.html
Security of PHP:
http://www.developer.com/lang/article.php/918141 (PHP Foundations:
http://www.onlamp.com/pub/ct/29)
Auditing PHP, Part 1: Understanding register_globals:
http://www-128.ibm.com/developerworks/library/os-php1/
Hardened PHP:
http://www.hardened-php.net
Web application security:
http://www.heise-security.co.uk/articles/84511
Checking PHP
Pixy (Check cross-site scripting and SQL injection):
http://pixybox.seclab.tuwien.ac.at/pixy/
Exploiting Common Vulnerabilities in PHP Applications
http://www.securereality.com.au/studyinscarlet.txt
Application security testing
Open Web Application Security Project (OWASP):
http://www.owasp.org/index.php/OWASP...le_of_Contents
Springenwerk Cross Site Scripting (XSS) security scanner:
http://sourceforge.net/projects/springenwerk
BTW: if you think you needn't read those I can only wish
you may live in interesting times.
)
