Full Disclosure mailing list archives
AW: AW: securing php
From: vogt () hansenet com
Date: Wed, 20 Aug 2003 15:24:02 +0200
You an enable PHP's "Safe Mode", which goes a long way to closing these holes, but it's not a 100% solution.PHP uses many libraries which were not designed to cope with malicious input from the application. That's why PHP Safe Mode is unsafe *by* *design*.
Yes, but you have two different sets of problems here: a) PHP by default has the same access to the system as Apache does, which is way too much. Safe Mode does (mostly) solve this problem b) Input verification and all other problems of exploiting PHP scripts, just as you have in any other language Safe Mode does nothing against these, though it can help to contain an exploit. As I said: It's not a 100% solution, but that is not an excuse for not using it and at least get what safety it offers. Tom Vogt _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- AW: AW: securing php vogt (Aug 20)