I agree that ground up application hardening is the way to go, it's a mighty hard thing to insure.
Any environment that has multiple developers or multiple users is going to break that security quickly. Common open source software is susceptible to this stuff - well a good bit is. It's easier/better, I believe to have this protection layer up top for as-needed or just in case protection. Thanks @Daniel Lo Nigro for the good reading :) Hopefully, other folks see the wisdom in the top down approach as well :) Recently, there have been a number of very high profile mass hosting take overs. There was one company with 40k sites that was entirely hacked and there was the MySQL.com site hacked by a similar exploit. I am seeing tons of these and other similar attacks. Seeing tons of compromised sites in search too :( On 10/10/11, MoroSwitie <[email protected]> wrote: >> The anatomy of the tool oversimplified is that it posts to a URL on a >> website and sends along in the POST some javascript which pumps this >> data to MySQL: >> > > If a tool sends POST data to an URL, the receiving script should > validate all POST data before doing anything with it. > Using a .htaccess rule is not a clean way to solve this, and I doubt > it is secure. > _______________________________________________ > Cherokee mailing list > [email protected] > http://lists.octality.com/listinfo/cherokee > _______________________________________________ Cherokee mailing list [email protected] http://lists.octality.com/listinfo/cherokee
