Full Disclosure mailing list archives
Re: securing php
From: "Larry W. Cashdollar" <lwc () vapid ath cx>
Date: Tue, 19 Aug 2003 23:01:58 -0400 (EDT)
Justin, I recommend for server security and stability sake in a production environment, to run software on the platform it was developed on. Atleast in this case. So you want to run apache? run it on a *nix variant. I have never run IIS so I can't compare it to Windows native http server. At least what I have seen with software that has been ported from Windows to UNIX (Solaris in this case) is the differences in security models tend to fall through the cracks. I suspect this case might be the same the other way around. The nativly written stuff has had longer to bake etc... -- Larry C$ "Justin Shin" <zorkshin () tampabay rr com> wrote:
Hi all -- I have a friend that owns a web hosting company and recently he asked me to check up on his security ... I found that PHP scripts could access, modify, etc. anything on the drive. Of course, this is because PHP was invoked by apache, which is being run as a root user (Administrator, he runs apache on win2k3 for some odd reason) but I do not know the remedy. How could he set up his apache/PHP so that only the users of his web hosting service could "do stuff" to their own web directories. I know I am not explaining this well, but I think you get the picture :) I also know there is a simple solution to this, I googled it though and I couldn't find it.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- securing php Justin Shin (Aug 19)
- Re: securing php Michael Gale (Aug 19)
- Re: securing php Paul Schmehl (Aug 19)
- Re: securing php Larry W. Cashdollar (Aug 19)
- Re: securing php Evan Nemerson (Aug 20)
- Re: securing php jeremy (Aug 20)
- <Possible follow-ups>
- RE: securing php Rainer Gerhards (Aug 20)
- Re: securing php Michael Gale (Aug 19)