[nycbug-talk] Searching for suspect PHP files...

[Charles Sprickman]

On Mar 12, 2009, at 3:01 AM, Andy Kosela wrote:

> Charles Sprickman <spork at bway.net> wrote:
>
>> I found this comment rather interesting:
>>
>> -----
>> Don't use PHP safe_mode
>> Avoid the use of PHP safe_mode. This is a valid but incomplete  
>> solution to
>> a deeper problem and provides a false sense of security. See the  
>> official
>> PHP site for an explanation of this issue.
>> -----
>
> From php.ini:
>
> ; Safe Mode
> ;
> ; SECURITY NOTE: The FreeBSD Security Officer strongly recommend that
> ; the PHP Safe Mode feature not be relied upon for security, since the
> ; issues Safe Mode tries to handle cannot properly be handled in PHP
> ; (primarily due to PHP's use of external libraries).  While many bugs
> ; in Safe Mode has been fixed it's very likely that more issues exist
> ; which allows a user to bypass Safe Mode restrictions.
> ; For increased security we recommend to always install the Suhosin
> ; extension.
>
>> The "open_basedir" and "disable_functions" directives were new to me.
>> They both look like they would be very sensible things to configure  
>> on any
>> php installation.
>
> There are some performance problems with using 'open_basedir' on
> FreeBSD.  Google for that.

I did find some info on that, and then I also found this:

http://www.hardened-php.net/suhosin/a_feature_list:realpath.html

"To stop all these attacks Suhosin replaces the realpath() function  
PHP uses with the one implemented by FreeBSD which was the most robust  
one at the time this patch was created."

So FreeBSD's realpath() is slow, but it is "more correct" I suppose.

> Also if your application doesn't need it, disable 'allow_url_fopen'.

That's a tough one...  I know I've got some stuff that pulls in RSS
feeds, need to look at how that's done.

Thanks,

Charles

>
> --Andy



Charles Sprickman
NetEng/SysAdmin
Bway.net - New York's Best Internet - www.bway.net
spork at bway.net - 212.655.9344