Vulnerability Development mailing list archives

Re: PHP

From: jk () DAC ORG (Darkcyde)
Date: Wed, 1 Dec 1999 12:00:22 +0000


On Tue, 30 Nov 1999, Paul Henson wrote:

[snip]

Of course, I could run PHP as a wrapped CGI, but that would be much less
efficient and negate many of the benefits of the Apache module version. PHP
does have a concept called "safe mode", and it is implied that if safe mode
is turned on, you can securely allow untrusted users to run PHP. However, I
could not find a good description of what safe mode actually entailed and
was unable to satisfy myself of its security.


I can't remember the details of safe mode, I think possibly it just
restricts system and exec type stuff.  Be aware however that it's very
easy for users (clueless or not) to eat loads of memory with infinite
loops.

These tend to spiral out of control as because if this happens when PHP is
existing as a module as (last time I looked anyway) there doesn't seem to
be a way of capping resources that module code eats.  (You may scream
Rlimitmem/rlimitcpu to me but that only applies to child processes, PHP
scripts run within Apache itself)

Has anyone investigated the security of PHP running as an Apache module
with safe mode enabled? Are there any good references or discussions of PHP
security available?


Have you trawled php.net?

Thanks...

J.

Current thread:

Re: PHP Darkcyde (Dec 01)
- Re: PHP Jon Parise (Dec 01)
  - Re: PHP James Phillips (Dec 02)
- Re: PHP Stuart Henderson (Dec 01)
- Norton AntiVirus 2000 POProxy.exe Craig Bernstein (Dec 01)
  - Re: Norton AntiVirus 2000 POProxy.exe Mike Frantzen (Dec 01)
- <Possible follow-ups>
- Re: PHP Matt Storey (Dec 01)
  - Re: PHP Seth R Arnold (Dec 01)
- Re: PHP Rodrick Brown <System Administrator> (Dec 01)