lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: venom at gen-x.co.nz (VeNoMouS) Subject: How secure is PHP ? im assusing your talking about php with apache if so use php_admin_value openbase_dir, i would also use php-exec-dir patch, to block all executables so they cant jump outside to other dirs with normal binarys. ----- Original Message ----- From: "J b" <modperlpants@...oo.com> To: <npsomaratna@...il.com> Cc: <full-disclosure@...ts.netsys.com> Sent: Friday, November 05, 2004 8:54 AM Subject: Re: [Full-Disclosure] How secure is PHP ? >> However, when browsing the web, I found an article >> which said that "it requires an expert to lockdown >> php" (Sorry, but I can't quite recall the URL). >> >> While I am not a novice, I am defintely not an >> expert either - expecially on security issues. >> >> So, I'd like to ask the members of this list - how >> difficult is it to secure php ? Do you really need >> a security "expert" to do this ? >> >> P.S. The few hundred students mentioned above are >> IT students ;-) > > I think one thing worth mentioning is that in > *most* PHP installations, the PHP code will be > executed as the web server user. > > This means that the several hundred IT students > will be able to read each other's code and write > to each other's datastores. Most students will > have to chmod a+w any files or directories > that will be modified by their PHP code. > > There are several ways around this, but it does > take more configuration and security smarts to > implement. This "vulnerability" (if you can call > it that) exists in just about every multi-user web > system out there, so it's probably worth your time > to investigate different security mechanisms. > > > > > __________________________________ > Do you Yahoo!? > Check out the new Yahoo! Front Page. > www.yahoo.com > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html >
Powered by blists - more mailing lists