Bugtraq mailing list archives
Re: PHP security (or the lack thereof)
From: flaps () dgp toronto edu (Alan J Rosenthal)
Date: Mon, 19 Jun 2006 19:41:48 -0400
For example, allowing users to upload and execute any C executable file to a public web server can prove to be quite dangerous. I think the same can be said for allowing PHP on a public web server, you have just allowed anyone with a website to compromise the entire machine.
I think the relevant maxim is "It's possible to write PHP in any language" ...
As a threat to the internet in whole, don't you think these public php enabled web servers pose an high risk?
I think that any ability of the (l)users to expose executables as web services threatens the security of the web server machine, irrespective of programming language. (But I don't see how it threatens "the internet" -- they can already connect their own misconfigured machine to the net directly)
Current thread:
- Re: PHP security (or the lack thereof), (continued)
- Re: PHP security (or the lack thereof) kicktd (Jun 21)
- Re: PHP security (or the lack thereof) Geo. (Jun 21)
- Re: PHP security (or the lack thereof) Crispin Cowan (Jun 22)
- Re: PHP security (or the lack thereof) Neil Neely (Jun 19)
- Re: PHP security (or the lack thereof) john mullee (Jun 23)
- Re: PHP security (or the lack thereof) Darren Reed (Jun 26)
- Re: PHP security (or the lack thereof) Ronald Chmara (Jun 27)
- Re: PHP security (or the lack thereof) Tonnerre Lombard (Jun 28)
- Re: PHP security (or the lack thereof) Darren Reed (Jun 28)
- Re: PHP security (or the lack thereof) Darren Reed (Jun 26)
- Re: PHP security (or the lack thereof) Geo. (Jun 23)
- Re: PHP security (or the lack thereof) Crispin Cowan (Jun 23)
- Re: PHP security (or the lack thereof) Daniel Hulme (Jun 26)
- Re: PHP security (or the lack thereof) Tobias J. Kreidl (Jun 26)
- Re: PHP security (or the lack thereof) Glynn Clements (Jun 27)
- Re: PHP security (or the lack thereof) Ronald Chmara (Jun 26)
- RE: PHP security (or the lack thereof) Geo. (Jun 26)
- Re: PHP security (or the lack thereof) Paul Schmehl (Jun 26)
- RE: PHP security (or the lack thereof) Geo. (Jun 28)