Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Vulnerability Development: Re: PHP

Re: PHP

From: Rodrick Brown <rodrick_at_YRD.COM>
Date: Wed, 1 Dec 1999 14:52:20 -0500

(Apache/1.3.9)(mod_ssl/2.4.9)+(OpenSSL/0.9.4 PHP/4.0b3)

Ive been running it for about a year now and I have not or know of any
kind of secuirty issues with php, PHP just rocks =] checkout #php @ efnet
on irc lots of core developers in there that would gladly answer any of
the questions you may have.

   =================================================================
          /\ Rodrick Brown Systems/Network Administrator
       /\/ \ rodrick_at_yrd.com Yard Productions www.yrd.com
   /\ / \ / \ 212-244-5540 Real Time Video BroadCasting.
   =================================================================

On Tue, 30 Nov 1999, Paul Henson wrote:

> I recently received a request to provide PHP to our end-users. Obviously, I
> wanted to investigate any potential security implications before fulfilling
> said request. However, I have been unable to find any discussion of PHP
> security that I felt was satisfactory.
>
> Of course, I could run PHP as a wrapped CGI, but that would be much less
> efficient and negate many of the benefits of the Apache module version. PHP
> does have a concept called "safe mode", and it is implied that if safe mode
> is turned on, you can securely allow untrusted users to run PHP. However, I
> could not find a good description of what safe mode actually entailed and
> was unable to satisfy myself of its security.
>
> Unless sufficient care was taken in its design and implementation, PHP
> would seem ripe for potential security problems. Considering that it is a
> full featured programming language, and includes interfaces to many third
> party libraries, I am rather hesitant to provide it to end-users as it
> might compromise the server.
>
> Has anyone investigated the security of PHP running as an Apache module
> with safe mode enabled? Are there any good references or discussions of PHP
> security available?
>
> Thanks...
>
>
> --
> [NOTE - generated via speech recognition. Please forgive obvious errors.]
>
> Paul B. Henson | (909) 869-3781 | http://www.csupomona.edu/~henson/
> Operating Systems and Network Analyst | henson_at_intranet.csupomona.edu
> California State Polytechnic University | Pomona CA 91768
>
Received on Dec 01 1999

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos