...
More generally, Javascript code can be used to attack content owned by someone else using the same domain. To mitigate these attacks, we should use a separate domain for each content owner. This can be easily achieved with a wildcard DNS record, so that user sites look like http://mv.ezproxy.com.ezproxy.canberra.edu.au/
instead of http://mv.ezproxy.com.ezproxy.canberra.edu.au/~username.
3e. PHP session hijacking
...
A local root vulnerability could allow a regular user to take control of the entire hosting service, or could allow an attacker who has taken control of a user account (or the apache account) to take control of the entire service. Recovering from a compromise of this sort would require disrupting the web hosting service, possibly for an extended period of time, while the server is reinstalled and user content is restored from backup.
Mitigation Mitigation options:
- Audit the system for setuid programs and remove any unnecessary packages containing them. Turn off the setuid bit on the remaining setuid programs which don't need to be setuid.
- Keep the system up to date.
- Treat kernel security updates as high-priority updates; schedule a reboot to install kernel updates on the evening of the upstream kernel package release at the latest.
- Use a Linux distribution which closely tracks the upstream kernel.org sources and run a custom-built kernel based on those sources, thus allowing us to apply kernel patches easily.
- Have multiple front-end machines serving user content with a load-balancer between them, allowing the serving machines to be shut down in series for rapid kernel upgrades.
It may be possible to use SELinux to reduce the likelihood of a local root privilege escalation. More research is required.
...