Hi, Reference: > From: Andy Wodfer <wod...@gmail.com> > Date: Wed, 17 Jul 2013 23:11:27 +0200
Andy Wodfer wrote: > Hi everybody! > > I'm running a server on FreeBSD 8.1 STABLE (apache 2.2.16, mysql 5.1.50, To quote front page of http://www.freebsd.org: * Production: 9.1 * Legacy: 8.4 My net. con. is too slow right now to check this for you, but look yourself, I bet FreeBSD-8.1 was long ago declared by security-officer@ as not supported as too old, > php 5.3.3) and I server some websites from it, most of them using Joomla or > Wordpress CMS. > > I recently had a security breach where someone used a hole in an older > Joomla version and was able to install a php script called webadmin.php. > From that the person was able to browse all folders and view all files - > and change them... not nice! > > Apache runs using the www user (std installation) and all virtualhosts > share the same user, but are placed in different directories. > > I need some help and pointers to what I can do to strengthen security and > to atleast prevent someone from writing to the filesystem and browse all > directories and files. (allthough joomla needs some folders to be chmod 777) > > I'm thinking about installing apache2-mpm-itk or similare to jail each site > into its own directory and run each virtualhost as its own user. Is this a > good idea? > > Thankful for answers and pointers! > > All the best - > Andy Upgrade to 8.4 or 9.1, Reinstall new versions of all ports, cd /usr/ports/ports-mgmt/portaudit ; make install ; rehash ; portaudit ; # (Which is in 9.1 & not in 8.2) port-audit Cheers, Julian -- Julian Stacey, BSD Unix Linux C Sys Eng Consultant, Munich http://berklix.com Reply below not above, like a play script. Indent old text with "> ". Send plain text. No quoted-printable, HTML, base64, multipart/alternative. _______________________________________________ firstname.lastname@example.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"