Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Vulnerability Development: Re: PHP

Re: PHP

From: Seth R Arnold <sarnold_at_WILLAMETTE.EDU>
Date: Wed, 1 Dec 1999 20:06:20 -0800

Matt, different safe mode -- the safe mode you described is for windows 95
and windows 98 -- the safe mode mentioned in the reply that discussed
safemode is referrring to a mode of operation for php, a nifty little cgi
'thingy' -- www.php.net has more info on it than I do. :)

On Wed, Dec 01, 1999 at 04:14:29PM +0000, Matt Storey wrote:
> Safe mode runs with the minimum amount of drivers, thus intailing you to fix
> whatever problems the the system has been experiencing for example if it has
> been having problems with a driver of a program at startup that keeps "Blue
> Screening" then you run it in safe mode so the driver/program does not run,
> which allows you to see a GUI and fix the appropriate driver/problem. The
> features of Safe mode are endless.
>
> Loops are a problem due to the fact that they are so easily created by a program
> that needs certain parameters to run and safe mode does not supply them, which
> in turn it goes off in its own merry way eating CPU utilizations and memory
> until the machine either crashes or the user switches off...
>
> Unfortunatly, if this is a server and it has a reason to be run in safe mode
> then it can cause no end of problems.
>
> There are no security parameters in safe mode so i believe (i could be wriong)
> so it could one or 2 problems with people using the machine to no end...
>
> Matt.
>
> Regards
>
> Matt Storey,
> Network Computer Division EMEA
> Internet - http://www.ibm.com/nc
>
>
> Darkcyde <jk_at_DAC.ORG> on 01/12/99 12:00:22
>
> Please respond to Darkcyde <jk_at_DAC.ORG>
>
> To: VULN-DEV_at_SECURITYFOCUS.COM
> cc: (bcc: Matthew Storey/UK/Contr/IBM)
> Subject: Re: PHP
>
>
>
>
> On Tue, 30 Nov 1999, Paul Henson wrote:
>
> [snip]
>
> > Of course, I could run PHP as a wrapped CGI, but that would be much less
> > efficient and negate many of the benefits of the Apache module version. PHP
> > does have a concept called "safe mode", and it is implied that if safe mode
> > is turned on, you can securely allow untrusted users to run PHP. However, I
> > could not find a good description of what safe mode actually entailed and
> > was unable to satisfy myself of its security.
>
> I can't remember the details of safe mode, I think possibly it just
> restricts system and exec type stuff. Be aware however that it's very
> easy for users (clueless or not) to eat loads of memory with infinite
> loops.
>
> These tend to spiral out of control as because if this happens when PHP is
> existing as a module as (last time I looked anyway) there doesn't seem to
> be a way of capping resources that module code eats. (You may scream
> Rlimitmem/rlimitcpu to me but that only applies to child processes, PHP
> scripts run within Apache itself)
>
> > Has anyone investigated the security of PHP running as an Apache module
> > with safe mode enabled? Are there any good references or discussions of PHP
> > security available?
>
> Have you trawled php.net?
>
> > Thanks...
>
> J. 

--
Seth Arnold | http://www.willamette.edu/~sarnold/
Hate spam? See http://maps.vix.com/rbl/ for help
Hi! I'm a .signature virus! Copy me into
your ~/.signature to help me spread!
Received on Dec 01 1999
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos