Category Archives: opensource

phpMailman

In English, opensource, PHP

Last year I spent about 2 weeks working on [ phpMailman ].
Unfortunately, I had to abandon it because I was assigned to other projects.

It was the most interesting projects, and potentially quite useful, that I’ve been working on. And it seems that quite a lot of others agree – I still got emails asking about it.

In short – phpMailman is a milis (mailing list) software, composed of php scripts and uses MySQL database to store its data.
It require very little to run (most webhosting package will suffice) and easy to set up. These two are things that I found lacking in other milis software.

I apologize that I’m still not able to continue my work on it. Meanwhile, I’ve updated the page with more useful information, and a link to the latest version. Hope someone will find it useful.

[ homepage of phpMailman ]

suPHP

In English, opensource, PHP

suPHP is an Apache module which will force PHP scripts to be executed with the permission of its owner.

What does that mean ?

It means that if a script contains a vulnerability, and got exploited, then only that particular user will be affected.

This module is not supposed to be used together with mod_php, and anyway, if you’re using mod_php, any exploited PHP script will give the intruder access to everything accessible by Apache (since mod_php execute scripts as Apache’s user)

Needless to say, suPHP would be of high interest to webhosters, along with mod_security.

mod_security

In English, opensource, Teknoblogia

mod_security is an Apache module which is designed to do things that a conventional firewall couldn’t – block application-level attacks.

While a firewall block attacks at packet level, most of them have port 80 opened to allow access to the webserver behind it. And with conventional firewall getting very good nowadays at doing its job, criminals have started to find that it can be very easy to breach your network using this route instead.

This is where mod_security come to your assistance.

It’s able to do quite a lot. For example, it’s able to filter user requests (based on your own rules), both POST and GET – protecting you from potential SQL injection, XSS, root traversal, and other attacks.
Those are already quite powerful, but there are more. It’s also makes it easy to make Apache runs chroot-ed, invoke virus scanner on uploaded files, limiting admin access based on IP address, detecting instrusions, stopping information leak – even disabling the famous FormMail from sending spam. Your creativity is pretty much the limit with it.

I can’t praise this thing enough. If you haven’t install it, I recommend you do, asap.

Further readings:
# Excellent introduction to mod_security
# chroot-ing Apache with mod_security
# ApacheSecurity.net – the website for Ivan’s (yet to be released) book, but already contains a few security tools which may be of interest to you
# HOWTO: installing mod_security on Debian stable