nice presentation. Your slides included some stuff you rarely see in others. IE: The slide on session fixation.
Also, this was not covered in your presentation slides, but after reading the slide titled “Hide PHP And Apache Versions”. Made me think of another thing i’ve seen people do to hide information, or create the illusion the website is not even running PHP and that is to use mod_rewrite to alter files names and put the actual PHP files in a different directory. So the user views
test.html, but it is actually reading test.php.
I’ve also heard of people altering httpd.conf so the web server reads the extension .html and treats it like a php file instead. I’m pretty sure it’s in httpd.conf anyway.
I think using mod_rewrite gives more of an advantage though.
r0ut3r said,
February 12, 2007 @ 3:36 pm
nice presentation. Your slides included some stuff you rarely see in others. IE: The slide on session fixation.
Also, this was not covered in your presentation slides, but after reading the slide titled “Hide PHP And Apache Versions”. Made me think of another thing i’ve seen people do to hide information, or create the illusion the website is not even running PHP and that is to use mod_rewrite to alter files names and put the actual PHP files in a different directory. So the user views
test.html, but it is actually reading test.php.
I’ve also heard of people altering httpd.conf so the web server reads the extension .html and treats it like a php file instead. I’m pretty sure it’s in httpd.conf anyway.
I think using mod_rewrite gives more of an advantage though.
Steven Roddis said,
February 12, 2007 @ 3:40 pm
Server: Apache/2.0.54 (Unix) PHP/4.4.4 mod_ssl/2.0.54 OpenSSL/0.9.7e mod_fastcgi/2.4.2 DAV/2 SVN/1.3.2
X-Powered-By: PHP/5.1.2
Isn’t going to go away via mod_rewrite, I also mentioned that it should be in tandem with changing the PHP extension.
r0ut3r said,
February 12, 2007 @ 4:00 pm
“Isn’t going to go away via mod_rewrite” - yeah. I was meaning in addition to hiding php and apache versions.