Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: PHP security (or the lack thereof)

From: flaps () dgp toronto edu (Alan J Rosenthal)
Date: Mon, 19 Jun 2006 19:41:48 -0400
For example, allowing users to upload and execute any C executable file to a
public web server can prove to be quite dangerous.

I think the same can be said for allowing PHP on a public web server, you
have just allowed anyone with a website to compromise the entire machine.


I think the relevant maxim is "It's possible to write PHP in any language"

...

As a threat to the internet in whole, don't you think these public php
enabled web servers pose an high risk?


I think that any ability of the (l)users to expose executables as web
services threatens the security of the web server machine, irrespective of
programming language.  (But I don't see how it threatens "the internet" --
they can already connect their own misconfigured machine to the net directly)
Previous By Date Next
Previous By Thread Next

Current thread: