Vulnerability Development mailing list archives

Re: PHP

From: MSTOREY () UK IBM COM (Matt Storey)
Date: Wed, 1 Dec 1999 16:14:29 +0000


Safe mode runs with the minimum amount of drivers, thus intailing you to fix
whatever problems the the system has been experiencing for example if it has
been having problems with a driver of a program at startup that keeps "Blue
Screening" then you run it in safe mode so the driver/program does not run,
which allows you to see a GUI and fix the appropriate driver/problem.  The
features of Safe mode are endless.

Loops are a problem due to the fact that they are so easily created by a program
that needs certain parameters to run and safe mode does not supply them, which
in turn it goes off in its own merry way eating CPU utilizations and memory
until the machine either crashes or the user switches off...

Unfortunatly, if this is a server and it has a reason to be run in safe mode
then it can cause no end of problems.

There are no security parameters in safe mode so i believe (i could be wriong)
so it could one or 2 problems with people using the machine to no end...

Matt.

Regards

Matt Storey,
Network Computer Division EMEA
Internet - http://www.ibm.com/nc

Darkcyde <jk () DAC ORG> on 01/12/99 12:00:22

Please respond to Darkcyde <jk () DAC ORG>

To:   VULN-DEV () SECURITYFOCUS COM
cc:    (bcc: Matthew Storey/UK/Contr/IBM)
Subject:  Re: PHP

On Tue, 30 Nov 1999, Paul Henson wrote:

[snip]

Of course, I could run PHP as a wrapped CGI, but that would be much less
efficient and negate many of the benefits of the Apache module version. PHP
does have a concept called "safe mode", and it is implied that if safe mode
is turned on, you can securely allow untrusted users to run PHP. However, I
could not find a good description of what safe mode actually entailed and
was unable to satisfy myself of its security.


I can't remember the details of safe mode, I think possibly it just
restricts system and exec type stuff.  Be aware however that it's very
easy for users (clueless or not) to eat loads of memory with infinite
loops.

These tend to spiral out of control as because if this happens when PHP is
existing as a module as (last time I looked anyway) there doesn't seem to
be a way of capping resources that module code eats.  (You may scream
Rlimitmem/rlimitcpu to me but that only applies to child processes, PHP
scripts run within Apache itself)

Has anyone investigated the security of PHP running as an Apache module
with safe mode enabled? Are there any good references or discussions of PHP
security available?


Have you trawled php.net?

Thanks...

J.

Current thread:

Re: PHP Darkcyde (Dec 01)
- Re: PHP Jon Parise (Dec 01)
  - Re: PHP James Phillips (Dec 02)
- Re: PHP Stuart Henderson (Dec 01)
- Norton AntiVirus 2000 POProxy.exe Craig Bernstein (Dec 01)
  - Re: Norton AntiVirus 2000 POProxy.exe Mike Frantzen (Dec 01)
- <Possible follow-ups>
- Re: PHP Matt Storey (Dec 01)
  - Re: PHP Seth R Arnold (Dec 01)
- Re: PHP Rodrick Brown <System Administrator> (Dec 01)