[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

AW: AW: [Full-Disclosure] securing php

To: fw@deneb.enyo.de
Subject: AW: AW: [Full-Disclosure] securing php
From: vogt@hansenet.com
Date: Wed, 20 Aug 2003 15:24:02 +0200

> > You an enable PHP's "Safe Mode", which goes a long way to
> > closing these holes, but it's not a 100% solution.
> 
> PHP uses many libraries which were not designed to cope with malicious
> input from the application.  That's why PHP Safe Mode is unsafe *by*
> *design*.

Yes, but you have two different sets of problems here:

a) PHP by default has the same access to the system as Apache does,
   which is way too much.
   Safe Mode does (mostly) solve this problem

b) Input verification and all other problems of exploiting PHP
   scripts, just as you have in any other language
   Safe Mode does nothing against these, though it can help to
   contain an exploit.


As I said: It's not a 100% solution, but that is not an excuse for
not using it and at least get what safety it offers.


Tom Vogt

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Prev by Date: Re: [Full-Disclosure] Re: Filtering sobig with postfix
Next by Date: RE: [Full-Disclosure] SoBig.F strange problem
Prev by thread: Re: [Full-Disclosure] Re: Filtering sobig with postfix
Next by thread: RE: [Full-Disclosure] Administrivia: Testing Emergency Virus Filter..
Index(es):
- Date
- Thread