Vulnerability Development mailing list archives
Re: PHP
From: jk () DAC ORG (Darkcyde)
Date: Wed, 1 Dec 1999 12:00:22 +0000
On Tue, 30 Nov 1999, Paul Henson wrote: [snip]
Of course, I could run PHP as a wrapped CGI, but that would be much less efficient and negate many of the benefits of the Apache module version. PHP does have a concept called "safe mode", and it is implied that if safe mode is turned on, you can securely allow untrusted users to run PHP. However, I could not find a good description of what safe mode actually entailed and was unable to satisfy myself of its security.
I can't remember the details of safe mode, I think possibly it just restricts system and exec type stuff. Be aware however that it's very easy for users (clueless or not) to eat loads of memory with infinite loops. These tend to spiral out of control as because if this happens when PHP is existing as a module as (last time I looked anyway) there doesn't seem to be a way of capping resources that module code eats. (You may scream Rlimitmem/rlimitcpu to me but that only applies to child processes, PHP scripts run within Apache itself)
Has anyone investigated the security of PHP running as an Apache module with safe mode enabled? Are there any good references or discussions of PHP security available?
Have you trawled php.net?
Thanks...
J.
Current thread:
- Re: PHP Darkcyde (Dec 01)
- Re: PHP Jon Parise (Dec 01)
- Re: PHP James Phillips (Dec 02)
- Re: PHP Stuart Henderson (Dec 01)
- Norton AntiVirus 2000 POProxy.exe Craig Bernstein (Dec 01)
- Re: Norton AntiVirus 2000 POProxy.exe Mike Frantzen (Dec 01)
- Re: PHP Jon Parise (Dec 01)