Vulnerability Development mailing list archives

Re: PHP

From: rodrick () YRD COM (Rodrick Brown <System Administrator>)
Date: Wed, 1 Dec 1999 14:52:20 -0500


(Apache/1.3.9)(mod_ssl/2.4.9)+(OpenSSL/0.9.4 PHP/4.0b3)

Ive been running it for about a year now and I have not or know of any
kind of secuirty issues with php, PHP just rocks =] checkout #php @ efnet
on irc lots of core developers in there that would gladly answer any of
the questions you may have.

   =================================================================
          /\      Rodrick Brown        Systems/Network Administrator
       /\/  \     rodrick () yrd com      Yard Productions www.yrd.com
   /\ /  \ / \    212-244-5540         Real Time Video BroadCasting.
   =================================================================

On Tue, 30 Nov 1999, Paul Henson wrote:

I recently received a request to provide PHP to our end-users. Obviously, I
wanted to investigate any potential security implications before fulfilling
said request. However, I have been unable to find any discussion of PHP
security that I felt was satisfactory.

Of course, I could run PHP as a wrapped CGI, but that would be much less
efficient and negate many of the benefits of the Apache module version. PHP
does have a concept called "safe mode", and it is implied that if safe mode
is turned on, you can securely allow untrusted users to run PHP. However, I
could not find a good description of what safe mode actually entailed and
was unable to satisfy myself of its security.

Unless sufficient care was taken in its design and implementation, PHP
would seem ripe for potential security problems. Considering that it is a
full featured programming language, and includes interfaces to many third
party libraries, I am rather hesitant to provide it to end-users as it
might compromise the server.

Has anyone investigated the security of PHP running as an Apache module
with safe mode enabled? Are there any good references or discussions of PHP
security available?

Thanks...


--
[NOTE - generated via speech recognition.  Please forgive obvious errors.]

Paul B. Henson  |  (909) 869-3781  |  http://www.csupomona.edu/~henson/
Operating Systems and Network Analyst  |  henson () intranet csupomona edu
California State Polytechnic University  |  Pomona CA 91768

Current thread:

Re: PHP Darkcyde (Dec 01)
- Re: PHP Jon Parise (Dec 01)
  - Re: PHP James Phillips (Dec 02)
- Re: PHP Stuart Henderson (Dec 01)
- Norton AntiVirus 2000 POProxy.exe Craig Bernstein (Dec 01)
  - Re: Norton AntiVirus 2000 POProxy.exe Mike Frantzen (Dec 01)
- <Possible follow-ups>
- Re: PHP Matt Storey (Dec 01)
  - Re: PHP Seth R Arnold (Dec 01)
- Re: PHP Rodrick Brown <System Administrator> (Dec 01)