[Tony]

Quote:

Originally Posted by yolte

I think we have to protect customers web sites who doesn't have enough information about script security?



Can you give me examples which rules are protecting from php shells? (for ex: r57, c99)

There is only so much you can do without making your hosting service have absolutely no features. We have mod_security rulesets up which do have mechanisms to protect against a lot of the exploits of the scripts themselves.

For disabling php functions you have the issue of some scripts rely on them. I know gallery systems use exec and others use system. None use popen* so we disable those.

There is only so much you can do to protect your users if they will not take the time to update their scripts they'll deal with the consequences.

There are other avenues to put up malicious files. Do you not give your users FTP access? We've seen a growing number of hacked web sites come via ftp. Users using passwords that are the same as their username with one number in them. Or their own computers being hacked resulting in malicious files on their website.

This is all why we give users access to 7 days worth of backups that they can restore from themselves. If they get hacked they do have something to fall back on.

So in summary sites are going to get hacked if you want to protect them fully you'd want to not give users any access to their accounts. You'd also want to disable POST and GET via mod_security and whitelist based on domain (one host does this).