[nycbug-talk] Searching for suspect PHP files...

Andy Kosela akosela at andykosela.com
Thu Mar 12 03:01:29 EDT 2009


Charles Sprickman <spork at bway.net> wrote:

> I found this comment rather interesting:
>
> -----
> Don't use PHP safe_mode
> Avoid the use of PHP safe_mode. This is a valid but incomplete solution to 
> a deeper problem and provides a false sense of security. See the official 
> PHP site for an explanation of this issue.
> -----

>From php.ini:

; Safe Mode
;
; SECURITY NOTE: The FreeBSD Security Officer strongly recommend that
; the PHP Safe Mode feature not be relied upon for security, since the
; issues Safe Mode tries to handle cannot properly be handled in PHP
; (primarily due to PHP's use of external libraries).  While many bugs
; in Safe Mode has been fixed it's very likely that more issues exist
; which allows a user to bypass Safe Mode restrictions.
; For increased security we recommend to always install the Suhosin
; extension.

> The "open_basedir" and "disable_functions" directives were new to me. 
> They both look like they would be very sensible things to configure on any 
> php installation.

There are some performance problems with using 'open_basedir' on 
FreeBSD.  Google for that.

Also if your application doesn't need it, disable 'allow_url_fopen'.

--Andy



More information about the talk mailing list