need to write up security document

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
Leb_CRX
Forum Newbie
Posts: 9
Joined: Thu May 18, 2006 8:27 am

need to write up security document

Post by Leb_CRX »

I'm currently working on a major app for one of my clients, and security testing has been brought up...here's what i've identified as potential problems, hoping I can get some more knowledable folks to point out areas I've missed

besides the obvious (physical location of server, security holes in apache version we're using (if any)) , the server being prone to DOS attacks ... we have mysql port drop on the firewall so only access from localhost, and ssh has a diff port #

we have the following potential threads with the actual app:
-Unanticipated navigation path
-session hijacks
-sql injeciton
-post/get tamperage to gain a diff role (admin, etc)
-Man-in-the-middle packet interception

anything else?
thanks
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

- cross site request forgeries
- path traversal (disclosing/tampering with paths)
- code injection (possible include() on remote files)
- $_SERVER exploits (ensure $_SERVER is sanitised, esp. if using PHP_SELF or other vars dependent on client input)

Covers all the bases - of course each has sub-divisions of potential exploits...

I know its dead obvious - but other stuff outside mysql/ssh also has relevance. Telnet isn't needed if ssh is available, for example.
Post Reply