Bugtraq mailing list archives
Re: PHP security (or the lack thereof)
From: Mrten <bugtraq () ii nl>
Date: Mon, 26 Jun 2006 21:37:08 +0200
Om 18:06 op maandag 26 juni 2006, Geo.:
..."The configuration flexibility of PHP is equally rivalled by the code flexibility. PHP can be used to build complete server applications, with all the power of a shell user, or it can be used for simple server-side includes with little risk in a tightly controlled environment. How you build that environment, and how secure it is, is largely up to the PHP developer."
And is the default install wide open or tightly controlled? I mean from a security standpoint we have been screaming for years at Microsoft to change their defaults to firewall on and things locked instead of open.
Is php secure by default when it's installed on a server?
no, it is definitely not. with things like allow_url_fopen [1] defaulting to true which allows remote scripts to be include()d, safe mode being off [2], functions like system() and shell_exec() allowing the script to execute random programs on the webserver, things are not quite there yet. Mrten. [1] http://www.php.net/manual/en/ref.filesystem.php#ini.allow-url-fopen [2] yes, i know it's an ugly workaround. it's a useful one, though. -- Be the change you want to see in the world. --Mahatma Ghandi
Current thread:
- Re: PHP security (or the lack thereof), (continued)
- Re: PHP security (or the lack thereof) Crispin Cowan (Jun 23)
- Re: PHP security (or the lack thereof) Daniel Hulme (Jun 26)
- Re: PHP security (or the lack thereof) Tobias J. Kreidl (Jun 26)
- Re: PHP security (or the lack thereof) Glynn Clements (Jun 27)
- Re: PHP security (or the lack thereof) Ronald Chmara (Jun 26)
- RE: PHP security (or the lack thereof) Geo. (Jun 26)
- Re: PHP security (or the lack thereof) Paul Schmehl (Jun 26)
- RE: PHP security (or the lack thereof) Geo. (Jun 28)
- Re: PHP security (or the lack thereof) Matthias Kestenholz (Jun 26)
- RE: PHP security (or the lack thereof) Geo. (Jun 27)
- Re: PHP security (or the lack thereof) Crispin Cowan (Jun 23)
- Re: PHP security (or the lack thereof) Mrten (Jun 26)