Security Basics mailing list archives

Re: PHP Security Risk?

From: Daniel Rubio <drubior () tinet org>
Date: Thu, 09 Dec 2004 11:20:37 +0100

PHP configuration file (php.ini) offers various directives to make"safe" things as file uploads.

In most cases, people can put via FTP those dangerous scripts (ISPservices e.g.) which you are talking can be uploaded so it's necessaryto take the security mesures before.

Directives as safe_mode, open_basedir, disable_functions and many othersare useful to make relatively secure these functionalities, needed for alot of web apps. Read about them in the PHP manual.


At last, sysadmin has the control ;-)

q q wrote:

oh yeah, a sysadmin's gonna disable file uploads on a production box
and not get ten tonnes of hell from the development team and clients
when their websites stop working?

general security is the domain of the sysadmin, but the sysadmin
can't/won't look through every bit of PHP code to make sure people are
using move_uploaded_file() and not copy(), is she? I mean, come on.

Security of the box is the responsibility of the one who looks after the box
Security of the code is the responsibility of the one who looks after the code


On Fri, 3 Dec 2004 16:17:34 -0600, Greg Donald <destiney () gmail com> wrote:

On Fri, 3 Dec 2004 15:48:32 +0100 (CET), John GALLET
<john.gallet () wanadoo fr> wrote:

The real danger is that this security part is left te be handled by the
*programmer* not the sysadmin.


Wrong.  Sysadmins have full control over the httpd.conf and the
php.ini files.  Any functions, classes, file extensions, execution
access, etc., that he/she feels unsafe may be disabled quite easily.

Web server security involving PHP is certainly not 'left to be
handled' only by the programmer.  The sysadmin has many facilities to
ensure a secure environment exists.

--
Greg Donald
Zend Certified Engineer
http://gdconsultants.com/
http://destiney.com/



--
********************************************************
Daniel Rubio Rodríguez
OASI (Organisme Autònom Per la Societat de la Informació)
c/ Assalt, 12
43003 - Tarragona
Tef.: 977.244.007 - Fax: 977.224.517
e-mail: drubio a oasi.org
********************************************************

Current thread:

PHP Security Risk? Stephane Auger (Dec 02)
- Re: PHP Security Risk? John GALLET (Dec 03)
  - Re: PHP Security Risk? Greg Donald (Dec 03)
    - Re: PHP Security Risk? q q (Dec 06)
    - Re: PHP Security Risk? Daniel Rubio (Dec 09)
    - Re: PHP Security Risk? John GALLET (Dec 07)
- Re: PHP Security Risk? Simon (Dec 03)
- RE: PHP Security Risk? AndrewC (Dec 03)
- Re: PHP Security Risk? Andrew Smith (Dec 03)