|
Full Disclosure
mailing list archives
Re: Security of suphp
From: Bernd Wurst <bernd () bwurst org>
Date: Mon, 20 Jun 2005 15:20:30 +0200
Hallo.
Am Montag, 20. Juni 2005 14:37 schrieb Stefan Esser:
do yourself a favour and do not use safe_mode. safe_mode is not, was
never and simply can never be secure. It is deprecated.
There are simply too many ways to break out of safe_mode through 3rd
party libraries like f.e. libcurl.
Yes, I fully acknowledge this. I also don't like safe_mode as a user, it
creates trouble with script-uploaded-files and so on. safe_mode sucks
and is deprecated BUT there's no working alternative for PHP used as an
apache module! If you restrict some 3rd party libs, it's "secure
enough" (I know that this term should never be said).
Using plain mod_php for user-scripts without safe_mode is not an
alternative because user's can run any script and read any file the
webserver has access to via the webserver's user ID!
That's why I'm interested in suphp.
What do you suppose for a regular shared hosting including user-uploaded
scripts? PHP via CGI? Is that better than suphp? I don't think that's
much of a difference.
cu, Bernd
--
Wenn Freiheit überhaupt etwas bedeutet, dann vor allem das Recht,
anderen Leuten das zu sagen, was sie nicht hören wollen.
- George Orwell
Attachment:
_bin
Description:
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
 By Date 
By Thread
Current thread:
| 
Intro
