[Seaside] Deployment question: Anyone using modSecurity (or equiv) to ensure hackers keep out of Seaside?

Randal L. Schwartz merlyn at stonehenge.com
Mon Feb 16 17:44:11 UTC 2009


>>>>> "Rick" == Rick Flower <rickf at ca-flower.com> writes:

Rick> So.. In reviewing the issue involved with this it appears that something
Rick> like ModSecurity (see links below) and rules from GotRoot.com might help
Rick> prevent this sort of thing from happening and was curious if anyone
Rick> running Seaside/Apache combinations has gone down this path to ensure
Rick> naughty things don't get passed into Seaside if possible.. Obviously I
Rick> realize that PHP != Smalltalk and that exploits could be different but
Rick> I'd like to reduce the chances as best I can.

Since Seaside doesn't have any of the things listed at
http://www.modsecurity.org/documentation/Securing_Web_Services_with_ModSecurity_2.0.pdf,
namely:

  Variable-length buffer injection
  Meta character injection
  SQL injection
  SOAP fault code disclosure

I'm not sure why you think modsecurity would help.

Assuming you're using GLORP for most of your sql, and follow best practices
for the small stuff that you would handwrite, of course.

The reason most PHP suffers from this stuff is that (a) PHP is written in C
and (b) many PHP coders are notoriously bad at understanding metacharacters
and (c) most PHP coders do not appear to understand SQL placeholders.  And
SOAP is just bad. :)

-- 
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<merlyn at stonehenge.com> <URL:http://www.stonehenge.com/merlyn/>
Smalltalk/Perl/Unix consulting, Technical writing, Comedy, etc. etc.
See http://methodsandmessages.vox.com/ for Smalltalk and Seaside discussion


More information about the seaside mailing list