[nycbug-talk] Searching for suspect PHP files...
Charles Sprickman
spork at bway.net
Thu Mar 12 00:50:59 EDT 2009
On Wed, 11 Mar 2009, Marc Spitzer wrote:
> The thing is most of your exposure is your php website, how are you
> managing that? Much of the php code out there was not written by
> experts from MIT but by people who code in ee, think notepad but
> worse, and have never had any formal training in CS/Programming. Are
> you using any of their code? And I do not mean you but the modules
> you may pull in from ports or the internet.
I am very new to php "security", but even this little doc from the Joomla
site has what appear to be some very good suggestions to eliminate some of
the more common threats:
http://docs.joomla.org/Security_Checklist_2_-_Hosting_and_Server_Setup#Configuring_PHP
I found this comment rather interesting:
-----
Don't use PHP safe_mode
Avoid the use of PHP safe_mode. This is a valid but incomplete solution to
a deeper problem and provides a false sense of security. See the official
PHP site for an explanation of this issue.
-----
The "open_basedir" and "disable_functions" directives were new to me.
They both look like they would be very sensible things to configure on any
php installation.
Charles
> night,
>
> marc
> --
> Freedom is nothing but a chance to be better.
> Albert Camus
>
More information about the talk
mailing list