Vulnerability Development mailing list archives
Re: PHP
From: MSTOREY () UK IBM COM (Matt Storey)
Date: Wed, 1 Dec 1999 16:14:29 +0000
Safe mode runs with the minimum amount of drivers, thus intailing you to fix whatever problems the the system has been experiencing for example if it has been having problems with a driver of a program at startup that keeps "Blue Screening" then you run it in safe mode so the driver/program does not run, which allows you to see a GUI and fix the appropriate driver/problem. The features of Safe mode are endless. Loops are a problem due to the fact that they are so easily created by a program that needs certain parameters to run and safe mode does not supply them, which in turn it goes off in its own merry way eating CPU utilizations and memory until the machine either crashes or the user switches off... Unfortunatly, if this is a server and it has a reason to be run in safe mode then it can cause no end of problems. There are no security parameters in safe mode so i believe (i could be wriong) so it could one or 2 problems with people using the machine to no end... Matt. Regards Matt Storey, Network Computer Division EMEA Internet - http://www.ibm.com/nc Darkcyde <jk () DAC ORG> on 01/12/99 12:00:22 Please respond to Darkcyde <jk () DAC ORG> To: VULN-DEV () SECURITYFOCUS COM cc: (bcc: Matthew Storey/UK/Contr/IBM) Subject: Re: PHP On Tue, 30 Nov 1999, Paul Henson wrote: [snip]
Of course, I could run PHP as a wrapped CGI, but that would be much less efficient and negate many of the benefits of the Apache module version. PHP does have a concept called "safe mode", and it is implied that if safe mode is turned on, you can securely allow untrusted users to run PHP. However, I could not find a good description of what safe mode actually entailed and was unable to satisfy myself of its security.
I can't remember the details of safe mode, I think possibly it just restricts system and exec type stuff. Be aware however that it's very easy for users (clueless or not) to eat loads of memory with infinite loops. These tend to spiral out of control as because if this happens when PHP is existing as a module as (last time I looked anyway) there doesn't seem to be a way of capping resources that module code eats. (You may scream Rlimitmem/rlimitcpu to me but that only applies to child processes, PHP scripts run within Apache itself)
Has anyone investigated the security of PHP running as an Apache module with safe mode enabled? Are there any good references or discussions of PHP security available?
Have you trawled php.net?
Thanks...
J.
Current thread:
- Re: PHP Darkcyde (Dec 01)
- Re: PHP Jon Parise (Dec 01)
- Re: PHP James Phillips (Dec 02)
- Re: PHP Stuart Henderson (Dec 01)
- Norton AntiVirus 2000 POProxy.exe Craig Bernstein (Dec 01)
- Re: Norton AntiVirus 2000 POProxy.exe Mike Frantzen (Dec 01)
- Re: PHP Jon Parise (Dec 01)