You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modperl@perl.apache.org by fred <fr...@igtech.fr> on 2002/03/20 01:12:56 UTC
Security of a modperl enabled site
Hi,
I am in front of a security issue. We are running several site using
modperl. Last days, a hacker used a script to call some script of our sites
for bad purpose. He needed to be authenticated, but we are only using
session cookies. Then, once he was loged in, he could retrieve this id and
use it in his home made script.
This is not the first time this kind of things happends. We use application
level security addons to limit the effects. However, I am looking for a tool
that could Limit user access by number of requests.
I found on the guide Apache::AccessLimitNum, but I can not find it on the
cpan, it seems to be discontinuated ...
I'am sure i am not the only one to have such problems. How are you, guys,
fighting that?
Best regards,
Fred
Re: Security of a modperl enabled site
Posted by vi...@outblaze.com.
Try this.
http://www.snert.com/Software/mod_throttle/
Tor.
fred wrote:
> Hi,
>
> I am in front of a security issue. We are running several site using
> modperl. Last days, a hacker used a script to call some script of our sites
> for bad purpose. He needed to be authenticated, but we are only using
> session cookies. Then, once he was loged in, he could retrieve this id and
> use it in his home made script.
>
> This is not the first time this kind of things happends. We use application
> level security addons to limit the effects. However, I am looking for a tool
> that could Limit user access by number of requests.
>
> I found on the guide Apache::AccessLimitNum, but I can not find it on the
> cpan, it seems to be discontinuated ...
>
> I'am sure i am not the only one to have such problems. How are you, guys,
> fighting that?
>
> Best regards,
>
> Fred
Re: Security of a modperl enabled site
Posted by Perrin Harkins <pe...@elem.com>.
> I am in front of a security issue. We are running several site using
> modperl. Last days, a hacker used a script to call some script of our
sites
> for bad purpose. He needed to be authenticated, but we are only using
> session cookies. Then, once he was loged in, he could retrieve this id
and
> use it in his home made script.
Think about what's different between his behavior and legitimate users'
behavior. Is it that he's sending tons of requests in a brief period of
time? Limit the frequency.
Randal wrote a column about how to do this:
http://www.stonehenge.com/merlyn/LinuxMag/col17.html
- Perrin
Re: Security of a modperl enabled site
Posted by gidon <gi...@gidon.com>.
I've had people run password guessing scripts and stuff.
I've handled it on a case by case basis, ie, limit the number
of wrong guesses.
There are a bunch of modules that can set limits as well which
can come in handy against very brutish sorts of misuses of your site,.
I used mod_throttle.c, there is a more flexible perl one or two as well.
On Wed, 20 Mar 2002, fred wrote:
> I'am sure i am not the only one to have such problems. How are you, guys,
> fighting that?
>
> Best regards,
>
> Fred
>