look:本文写给想在win2k平台上架设一个安全web站台的朋友们。
所需要的程序:
apache
http://www.apache.org/dist/httpd/binaries/win32/
我们选用apache_1.3.28-win32-x86-no_src.msi,或者apache_2.0.47-win32-x86-no_ssl.msi
都可以,勿使用低版本的程序,它们有缺陷,很容易遭到internet上的攻击
php
http://cn2.php.net/get/php-4.3.3-Win32.zip/from/a/mirror
php-4.3.3
mysql
http://www.mysql.com/get/Downloa … 5-win.zip/from/pick
mysql-4.0.15
注:低于这个版本的mysql,有缺陷,勿使用
ZendOptimizer-2[1].1.0a-Windows-i386.exe
php的优化器,支持加密php脚本
MySQL-Front
一个运行于ms平台的gui的mysql的管理器,非常好用
phpMyAdmin-2.5.0-php.zip
基于php脚本的mysql婴儿起名管理器
phpencode.exe
php加密编译器
Title 17/2/2002
PHP for Windows Arbitrary Files Execution (GIF, MP3)
Summary
Through PHP.EXE, an attacker can cause PHP to interpret any file as a PHP file,
even if its extensions are not PHP. This would enable the remote attacker to
execute arbitrary commands, leading to a system compromise.
Details
Vulnerable systems:
PHP version 4.1.1 under Windows
PHP version 4.0.4 under Windows
An attacker can upload innocent looking files (with mp3, txt or gif extensions)
through any uploading systems such as WebExplorer (or any other PHP program that
has uploading capabilities), and then request PHP to execute it.
Example:
After uploading a file a “gif” extension (in our example huh.gif) that contains
PHP code such as:
#------------
默认安装的mysql服务不安全因素涉及的内容有:
一.mysql默认的授权表
二.缺乏日志能力
三.my.ini文件泄露口令
四.服务默认被绑定全部的网络接口上
五.默认安装路径下的mysql目录权限
一.mysql默认的授权表 由于mysql对身份验证是基于mysql这个数据库的,也叫授权表。所有的权限设置都在这里了。