Category Archives: Linux

15 Rules to follow for safer web applications

After a small research and in conclusion I (try to) follow these rules…
(don’t mind the order!)

1. Display custom errors pages.

2. Remove unwanted files and folders.

3. Remove backup, unused or obsolete files (.bak, .inc, .old etc). For include files, carefully choose the suffix to prevent information disclosure.

4. Remove default document files (default.aspx, index.php, index.asp, main.jsp etc).

5. Validate properly all parameters against expected data length, data type, data format (dd-mm-yyyy etc) and data range (10-79 etc).

6. Use SANITIZE functions (custom made).

7. Disable directory browsing. If this is required, make sure the listed files does not induce risks.

8. Remove the private IP address from the HTTP response body. For comments, use jsp/asp comment instead of HTML/javascript comment which can be seen by client browsers.

9. For secure content, put session ID in cookie ,use a combination of cookie and URL rewrite, bind the Session ID to the IP address of the client who owns the session and put timeout mechanisms for the Session IDs against Replay Attacks.

10. Turn off AUTOCOMPLETE attribute in form or individual input elements containing password by using AUTOCOMPLETE=’OFF’.

11. Secure page can be cached in browser. Cache control is not set in HTTP header nor HTML header. Sensitive content can be recovered from browser storage. The best way is to set HTTP header with: ‘Pragma: No-cache’ and ‘Cache-control: No-cache’. Alternatively, this can be set in the HTML header but some browsers may have problem using this method.

12. Do not trust client side input and enforce tight check in the server side. Disable server side include. Use least privilege to run your web server or application server. For Apache, disable the following:

Options Indexes FollowSymLinks Includes
AddType application/x-httpd-cgi .cgi
AddType text/x-server-parsed-html .html

13. Do not trust client side input even if there is client side validation. In general,

  • If the input string is numeric, type check it.
  • If the application used JDBC, use Prepared Statement or Callable Statement with parameters passed by ?
  • If the application used ASP, use ADO Command Objects with strong type checking and parameterized query.
  • If stored procedure or bind variables can be used, use it for parameter passing into query. Do not just concatenate string into query in the stored procedure!
  • Do not create dynamic SQL query by simple string concatenation.
  • Use minimum database user privilege for the application. This does not eliminate SQL injection but minimize its damage. E.g. if the application requires reading one table only, grant such access to the application. Avoid using sa or db-owner or root.

14. Do not try to work with invalid data. Display custom error page when data does not pass validation.

15. Use white list validation wherever possible!

ModSecurity Vulnerabilities Fixed

ModSecurity versions 2.5.8 and 2.5.9 have been released to fix two vulnerabilities which could be used to cause a denial of service (DoS).  The first vulnerability is fixed in version 2.5.8 and the second (as it was disclosed after version 2.5.8 was already frozen) is fixed in version 2.5.9.  Because of this, the 2.5.8 release should be disregarded in favor of 2.5.9.  Both vulnerabilities, however, have workarounds until ModSecurity can be upgraded/patched.

Read more…

Joomla/Mambo – PDF Indexer Module

PDF Indexer

Allow PDFs to be searched via the Joomla/Mambo search module.

This Joomla/Mambo Component allows you to index PDFs located within your Joomla directory and the corresponding mosbot allows that index to be searched using the Joomla search component. This allows the text of PDFs to be viewed when searching a Joomla site.

Version 2.4

New Features:
* Joomla 1.5 legacy support
* More bug fixes

Also Featuring:
* Indexes new pdfs only so indexing is much faster.
* PDF file version changes.  It will automatically detect if a PDF has changed and index it on the next pass.
* Delete indexes to PDFs that have been removed from your file structure.
* Password Protected PDF indexing!
* Ability to edit past indexes (For those image based pdfs, add keywords, phrases)
* Improved MosBot
* Other Various Bug Fixes

Does not work on servers in SafeMode or when Popen is off.

Great work! Really!
But i run into a big problem…

I have tested PDF Indexer with Joomla 1.5 and works PERFECT with “small” pdf files.
With “Small” pdf files I mean up to 1 MB.
When I tried a “bigger” pdf file like 10 MB or even worst 40MB or 80MB, although it seemed that it was working (that is, no errors found) when I tried to see it in “Modify Indexes” from the Administration Menu… it wasn’t there.


1. Edit the file…

Lines 366,445:
Change this…
$contents .= fread($handle2, 8192);
to this…
$contents .= fread($handle2, $fileSize);

then add the following line…
in the first lines of the file.

Alternative: If you have access, change the memory_limit = 32M to  memory_limit = 128M in your /etc/php.ini file. Restart apache !!!

2. Edit the file…
set-variable = max_allowed_packet=xM
where xM the needed MB (for example 5MB)!

Fire up phpMyAdmin or open your favorite MySQL Manager.
Go to the Joomla DATABASE and in the TABLE that stores the data for indexing edit the FIELD Description to LONGTEXT.
Restart mysql !!!

That’s all!

The results were great. In a few seconds a 78MB pdf file was indexed !