WIN2000 Apache php mysql 安裝及安全手冊
2024-08-27 18:23:08
供稿:網友
look:本文寫給想在win2k平臺上架設一個安全web站臺的朋友們。
所需要的程序:
apache
http://www.apache.org/dist/httpd/binaries/win32/
我們選用apache_1.3.28-win32-x86-no_src.msi,或者apache_2.0.47-win32-x86-no_ssl.msi
都可以,勿使用低版本的程序,它們有缺陷,很容易遭到internet上的攻擊
php
http://cn2.php.net/get/php-4.3.3-Win32.zip/from/a/mirror
php-4.3.3
mysql
http://www.mysql.com/get/Downloa ... 5-win.zip/from/pick
mysql-4.0.15
注:低于這個版本的mysql,有缺陷,勿使用
ZendOptimizer-2[1].1.0a-Windows-i386.exe
php的優化器,支持加密php腳本
MySQL-Front
一個運行于ms平臺的gui的mysql的管理器,非常好用
phpMyAdmin-2.5.0-php.zip
基于php腳本的mysql管理器
phpencode.exe
php加密編譯器
install~
1.安裝apache
由于安裝很簡單,pass~!,只是要注意的是,請勿安裝到系統分區上
因為這樣,無論從備份,維護,災難性恢復上,都是有優勢的.
假設安裝到了d://
2.安裝php
具體安裝過程請參考php目錄里的install.txt
需要注意的是,請勿使用cgi方式
以下為引用資料
------------------------------------------------------------------
Title 17/2/2002
PHP for Windows Arbitrary Files Execution (GIF, MP3)
Summary
Through PHP.EXE, an attacker can cause PHP to interpret any file as a PHP file,
even if its extensions are not PHP. This would enable the remote attacker to
execute arbitrary commands, leading to a system compromise.
Details
Vulnerable systems:
PHP version 4.1.1 under Windows
PHP version 4.0.4 under Windows
An attacker can upload innocent looking files (with mp3, txt or gif extensions)
through any uploading systems such as WebExplorer (or any other PHP program that
has uploading capabilities), and then request PHP to execute it.
Example:
After uploading a file a /"gif/" extension (in our example huh.gif) that contains
PHP code such as:
#------------
<?
phpinfo();
?>
#------------
An attacker can type the following address to get in to cause the PHP file to be
executed:
http://www.example.com/php/php.exe/UPLOAD_DIRECTORY/huh.gif
Notice: php/php.exe is included in the URL.
Additional information
The information has been provided by CompuMe and RootExtractor.
ps:大部分版本都有這個毛病.包括一些最新版本,所以請不要以cgi安裝!切記...
3.安裝mysql
安裝到d://,也很簡單,具體過程pass.
只是mysql安裝后的默認設置實在讓人擔心
以下引用我原來的文章
-----------------------------------------------------------------------------------
2002/12/21
寫在前面:無事可做,生命被消耗,痛~~~啊,所以就寫了,本文no原創,整理而成!
默認安裝的mysql服務不安全因素涉及的內容有:
一.mysql默認的授權表
二.缺乏日志能力
三.my.ini文件泄露口令
四.服務默認被綁定全部的網絡接口上
五.默認安裝路徑下的mysql目錄權限
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
一.mysql默認的授權表
由于mysql對身份驗證是基于mysql這個數據庫的,也叫授權表。所有的權限設置都在這里了。
