Vulnerability Development mailing list archives
Re: PHP
From: rodrick () YRD COM (Rodrick Brown <System Administrator>)
Date: Wed, 1 Dec 1999 14:52:20 -0500
(Apache/1.3.9)(mod_ssl/2.4.9)+(OpenSSL/0.9.4 PHP/4.0b3) Ive been running it for about a year now and I have not or know of any kind of secuirty issues with php, PHP just rocks =] checkout #php @ efnet on irc lots of core developers in there that would gladly answer any of the questions you may have. ================================================================= /\ Rodrick Brown Systems/Network Administrator /\/ \ rodrick () yrd com Yard Productions www.yrd.com /\ / \ / \ 212-244-5540 Real Time Video BroadCasting. ================================================================= On Tue, 30 Nov 1999, Paul Henson wrote:
I recently received a request to provide PHP to our end-users. Obviously, I wanted to investigate any potential security implications before fulfilling said request. However, I have been unable to find any discussion of PHP security that I felt was satisfactory. Of course, I could run PHP as a wrapped CGI, but that would be much less efficient and negate many of the benefits of the Apache module version. PHP does have a concept called "safe mode", and it is implied that if safe mode is turned on, you can securely allow untrusted users to run PHP. However, I could not find a good description of what safe mode actually entailed and was unable to satisfy myself of its security. Unless sufficient care was taken in its design and implementation, PHP would seem ripe for potential security problems. Considering that it is a full featured programming language, and includes interfaces to many third party libraries, I am rather hesitant to provide it to end-users as it might compromise the server. Has anyone investigated the security of PHP running as an Apache module with safe mode enabled? Are there any good references or discussions of PHP security available? Thanks... -- [NOTE - generated via speech recognition. Please forgive obvious errors.] Paul B. Henson | (909) 869-3781 | http://www.csupomona.edu/~henson/ Operating Systems and Network Analyst | henson () intranet csupomona edu California State Polytechnic University | Pomona CA 91768
Current thread:
- Re: PHP Darkcyde (Dec 01)
- Re: PHP Jon Parise (Dec 01)
- Re: PHP James Phillips (Dec 02)
- Re: PHP Stuart Henderson (Dec 01)
- Norton AntiVirus 2000 POProxy.exe Craig Bernstein (Dec 01)
- Re: Norton AntiVirus 2000 POProxy.exe Mike Frantzen (Dec 01)
- Re: PHP Jon Parise (Dec 01)