do you or anyone know of a nice tutorial (forum post, web page, etc.) that lists how to address these exact issues on your server to make it less vulnerable to unknown exploits?
One of the topics I posted in about this is this one
, which has a link to WebHostingTalk on making the temporary directories unable to support executable files. This topic
has some remarks about user ownership and permissions, as they apply to PHPBB.
The unfortunate things about all of this that the "best" security model won't work for most of the people who install PHPBB. It's nice to pontificate about setting the avatar directory owner to "apache", but you can only do that with root or administrator privileges, so it comes down to hosting yourself (with its own headaches), or getting a good, cooperative host that will work with you on such things (which excludes most free and many paid hosts).
Making tools that script kiddies need, like curl, wget, Perl, etc., are usually based upon the needs of other sites on a shared host. Sometimes the choice of using Apache's mod_suexec is made to accommodate specific CGI requirements of just a few users, but affects all users if it isn't set up correctly.
The important part is to make sure that no file that could
have been uploaded through HTTP can be considered executable. Since code in templates is run through the eval() function, the templates directory should not allow any writing by the web server.
Personally, I'd make one basic change to how PHPBB handles avatars, and things like the attachment and photo album MODs work... Put the files into BLOB fields in the database, rather than writing files on disk, and provide a display program that simply copies the contents of the BLOB out with the correct header information. If this were extended to templates, there would NO need for PHPBB to write files to the system, and most upload-related exploits would not work... since the system doesn't know how to execute an SQL entry!
Hmmm... Maybe I'll put that on my list of changes to work on when I have time...