<html><body bgcolor="#FFFFFF">
<p><font size="2" face="sans-serif">Hi Jules,</font><br>
<br>
<font size="2" face="sans-serif">Point 3 is only for paranoid persons like me (IT-Security specialist). You need this to prevent issues which you haven't thought about or programming / configuration errors or vulnerabilities of used OS</font><br>
<br>
<font size="2" face="sans-serif">Mit freundlichen Grüßen / Best regards<br>
<br>
Patrick Gaikowski<br>
Tel: +49 7132 94 3568<br>
Fax: +49 7132 94 73568<br>
E-Mail: patrick.gaikowski@kaufland.com<br>
KI 967800 IT International / Infrastruktur<br>
Office:<br>
Lindichstrasse 11<br>
D-74189 Weinsberg</font><br>
<br>
<br>
<br>
<font size="2" face="sans-serif"><a href="http://www.kaufland.de">http://www.kaufland.de</a> </font><br>
<font size="2" face="sans-serif">Wir sind die Nr. 1:</font><br>
<font size="2" face="sans-serif">Kaufland ist "Bester Lebensmittelmarkt 2011"!</font><br>
<br>
<font size="2" face="sans-serif">Kaufland Informationssysteme GmbH & Co. KG</font><br>
<font size="2" face="sans-serif">Postfach 12 53 - 74149 Neckarsulm<br>
Kommanditgesellschaft<br>
Sitz: Neckarsulm<br>
Registergericht: Amtsgericht Stuttgart HRA 104163</font><br>
<ul style="padding-left: 18pt"><img width="16" height="16" src="cid:1__=4EBBF208DFDDB06F8f9e8a93@de.int.kaufland" border="0" alt="Inactive hide details for Jules <Jules@zend.to>"><font size="2" face="sans-serif">Jules <Jules@zend.to></font></ul>
<br>
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr valign="top"><td width="40%">
<ul style="padding-left: 9pt"><font size="1" face="sans-serif"><b>Jules <Jules@zend.to></b></font><font size="1" face="sans-serif"> </font><br>
<font size="1" face="sans-serif">Gesendet von: zendto-bounces@zend.to</font>
<p><font size="1" face="sans-serif">25.05.2011 13:55</font>
<table border="1">
<tr valign="top"><td width="168" bgcolor="#FFFFFF">
<ul style="padding-left: 0pt"><font size="1" face="sans-serif">Bitte antworten an<br>
ZendTo Users <zendto@zend.to></font></ul>
</td></tr>
</table>
</ul>
</td><td width="60%">
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr valign="top"><td width="1%" valign="middle"><img width="66" height="1" src="cid:2__=4EBBF208DFDDB06F8f9e8a93@de.int.kaufland" border="0" alt=""><br>
</td><td width="100%"><img width="1" height="1" src="cid:2__=4EBBF208DFDDB06F8f9e8a93@de.int.kaufland" border="0" alt=""><br>
<font size="1" face="sans-serif">ZendTo Users <zendto@zend.to></font></td></tr>
<tr valign="top"><td width="1%" valign="middle"><img width="66" height="1" src="cid:2__=4EBBF208DFDDB06F8f9e8a93@de.int.kaufland" border="0" alt=""><br>
</td><td width="100%"><img width="1" height="1" src="cid:2__=4EBBF208DFDDB06F8f9e8a93@de.int.kaufland" border="0" alt=""><br>
</td></tr>
<tr valign="top"><td width="1%" valign="middle"><img width="66" height="1" src="cid:2__=4EBBF208DFDDB06F8f9e8a93@de.int.kaufland" border="0" alt=""><br>
<div align="right"><font size="1" face="sans-serif">Thema </font></div></td><td width="100%"><img width="1" height="1" src="cid:2__=4EBBF208DFDDB06F8f9e8a93@de.int.kaufland" border="0" alt=""><br>
<font size="1" face="sans-serif">[ZendTo] Re: Hardening Zendto</font></td></tr>
</table>
<table border="0" cellspacing="0" cellpadding="0">
<tr valign="top"><td width="58"><img width="1" height="1" src="cid:2__=4EBBF208DFDDB06F8f9e8a93@de.int.kaufland" border="0" alt=""></td><td width="336"><img width="1" height="1" src="cid:2__=4EBBF208DFDDB06F8f9e8a93@de.int.kaufland" border="0" alt=""></td></tr>
</table>
</td></tr>
</table>
<br>
<font size="3" face="serif"><br>
<br>
On 24/05/2011 21:52, </font><a href="mailto:patrick.gaikowski@kaufland.com"><font size="3" color="#0000FF" face="serif"><u>patrick.gaikowski@kaufland.com</u></font></a><font size="3" face="serif"> wrote: </font>
<ul style="padding-left: 36pt"><br>
<font size="2" face="sans-serif">Hi,</font><font size="3" face="serif"><br>
</font><font size="2" face="sans-serif"><br>
i'm preparing Zendto for Penetration Test and used some Scanner like Paros, Nikto ...</font><font size="3" face="serif"><br>
</font><font size="2" face="sans-serif"><br>
1.) deactivate X-Powered-By (Server sends exact PHP-Version to client)</font><font size="3" face="serif"><br>
</font><font size="2" face="sans-serif"><br>
in php.ini --> expose_php = Off</font><font size="3" face="serif"><br>
</font><font size="2" face="sans-serif"><br>
2.) deactivate HTTP TRACE (used by Security Scanner for XSS)</font><font size="3" face="serif"><br>
</font><font size="2" color="#0000FF" face="sans-serif"><u><br>
</u></font><a href="http://www.ducea.com/2007/10/22/apache-tips-disable-the-http-trace-method/"><font size="2" color="#0000FF" face="sans-serif"><u>http://www.ducea.com/2007/10/22/apache-tips-disable-the-http-trace-method/</u></font></a></ul>
<br>
<font size="3" face="serif">Thanks for those two. I will try to make sure they get into the 4.02 (or is it 4.03?) release of the ZendTo VM images.</font>
<ul style="padding-left: 36pt"><br>
<font size="2" face="sans-serif"><br>
3.) using mod_security as module for apache</font></ul>
<br>
<font size="3" face="serif">Do I need this? It adds another level of complexity to things, unless there are yum and apt packages of it that I can just include. Do you know if there are?<br>
<br>
Many thanks,<br>
Jules.<br>
</font>
<ul style="padding-left: 36pt"><br>
<font size="2" face="sans-serif"><br>
Mod_Security is an open source Web application firewall with a lot of preconfigured rulesets. Mod_Security prevents Injections, XSS, Commands ... I played with mod_security and add an sample (not complete)</font><font size="3" face="serif"><br>
</font><font size="2" color="#FF0000" face="sans-serif"><br>
# Prevents Path disclosure for PHP Fatal Error<br>
SecRule RESPONSE_BODY "Fatal Error:" "deny,status:500,log,auditlog,msg:'PHP Fatal Error blocked'"<br>
ErrorDocument 500 /security-error.php</font><font size="3" face="serif"><br>
</font><font size="2" color="#FF0000" face="sans-serif"><br>
#Prevent Security Scanner from Scanning the WebApplication"<br>
SecRule HTTP_User-Agent "(?:\b(?:m(?:ozilla\/4\.0 \(compatible\)|etis)|webtrends security analyzer|pmafind)\b|n(?:-stealth|sauditor|essus|ikto)|b(?:lack ?widow|rutus|ilbo)|(?:jaascoi|Paro)s|internet explorer|webinspect|\.nasl)" \<br>
"deny,log,msg:'Request Indicates a Security Scanner Scanned the Site',,status:500,phase:2"</font><font size="3" face="serif"><br>
</font><font size="2" color="#FF0000" face="sans-serif"><br>
SecDefaultAction phase:2,redirect:/security-error.php,status:509,log,auditlog</font><font size="3" face="serif"><br>
</font><font size="2" color="#FF0000" face="sans-serif"><br>
#Hides the Webserver signature (IIS, Apache ...)<br>
SecServerSignature "Hotzenplotz"</font><font size="3" face="serif"><br>
</font><font size="2" color="#FF0000" face="sans-serif"><br>
#Root-Path<br>
SecRule REQUEST_URI "^/$" "log,allow,phase:2"</font><font size="3" face="serif"><br>
</font><font size="2" color="#FF0000" face="sans-serif"><br>
#needed for ReCaptcha<br>
SecRule REQUEST_URI "</font><a href="https://www.google.com/recaptcha/api/image$"><font size="2" color="#0000FF" face="sans-serif"><u>https://www.google.com/recaptcha/api/image$</u></font></a><font size="2" color="#FF0000" face="sans-serif">" "log,allow,phase:2"</font><font size="3" face="serif"><br>
</font><font size="2" color="#FF0000" face="sans-serif"><br>
#PHP-Sites<br>
SecRule REQUEST_FILENAME "^/security-error.php$" "log,allow,phase:2"<br>
SecRule REQUEST_FILENAME "^/about.php$" "log,allow,phase:2"<br>
SecRule REQUEST_FILENAME "^/verify.php$" "log,allow,phase:2"<br>
....</font><font size="3" face="serif"><br>
</font><font size="2" face="sans-serif"><br>
The sample is not complete ...</font><font size="3" face="serif"><br>
</font><font size="2" face="sans-serif"><br>
Mit freundlichen Grüßen / Best regards<br>
<br>
Patrick Gaikowski<br>
Tel: +49 7132 94 3568<br>
Fax: +49 7132 94 73568<br>
E-Mail: </font><a href="mailto:patrick.gaikowski@kaufland.com"><font size="2" color="#0000FF" face="sans-serif"><u>patrick.gaikowski@kaufland.com</u></font></a><font size="2" face="sans-serif"><br>
KI 967800 IT International / Infrastruktur<br>
Office:<br>
Lindichstrasse 11<br>
D-74189 Weinsberg</font><font size="3" face="serif"><br>
<br>
</font><font size="2" color="#0000FF" face="sans-serif"><u><br>
</u></font><a href="http://www.kaufland.de/"><font size="2" color="#0000FF" face="sans-serif"><u>http://www.kaufland.de</u></font></a><font size="2" face="sans-serif"> <br>
Wir sind die Nr. 1:<br>
Kaufland ist "Bester Lebensmittelmarkt 2011"!</font><font size="3" face="serif"><br>
</font><font size="2" face="sans-serif"><br>
Kaufland Informationssysteme GmbH & Co. KG<br>
Postfach 12 53 - 74149 Neckarsulm<br>
Kommanditgesellschaft<br>
Sitz: Neckarsulm<br>
Registergericht: Amtsgericht Stuttgart HRA 104163</font>
<p><tt><font size="3"><br>
<br>
_______________________________________________<br>
ZendTo mailing list<br>
</font></tt><a href="mailto:ZendTo@zend.to"><tt><font size="3" color="#0000FF"><u>ZendTo@zend.to</u></font></tt></a><tt><font size="3"><br>
</font></tt><a href="http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto"><tt><font size="3" color="#0000FF"><u>http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto</u></font></tt></a></ul>
<br>
<tt><font size="3">Jules<br>
<br>
-- <br>
Julian Field MEng CITP CEng<br>
</font></tt><a href="http://www.zend.to/"><tt><font size="3" color="#0000FF"><u>www.Zend.To</u></font></tt></a><tt><font size="3"><br>
<br>
Follow me at twitter.com/JulesFM<br>
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654<br>
<br>
'Teach a man to reason, and he will think for a lifetime.' - Phil Plait 'All programs have a desire to be useful' - Tron, 1982<br>
</font></tt><tt><font size="2">_______________________________________________<br>
ZendTo mailing list<br>
ZendTo@zend.to<br>
</font></tt><tt><font size="2"><a href="http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto">http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto</a></font></tt><br>
</body></html>