[nycbug-talk] Searching for suspect PHP files...
Andy Kosela
akosela at andykosela.com
Thu Mar 12 03:01:29 EDT 2009
Charles Sprickman <spork at bway.net> wrote:
> I found this comment rather interesting:
>
> -----
> Don't use PHP safe_mode
> Avoid the use of PHP safe_mode. This is a valid but incomplete solution to
> a deeper problem and provides a false sense of security. See the official
> PHP site for an explanation of this issue.
> -----
>From php.ini:
; Safe Mode
;
; SECURITY NOTE: The FreeBSD Security Officer strongly recommend that
; the PHP Safe Mode feature not be relied upon for security, since the
; issues Safe Mode tries to handle cannot properly be handled in PHP
; (primarily due to PHP's use of external libraries). While many bugs
; in Safe Mode has been fixed it's very likely that more issues exist
; which allows a user to bypass Safe Mode restrictions.
; For increased security we recommend to always install the Suhosin
; extension.
> The "open_basedir" and "disable_functions" directives were new to me.
> They both look like they would be very sensible things to configure on any
> php installation.
There are some performance problems with using 'open_basedir' on
FreeBSD. Google for that.
Also if your application doesn't need it, disable 'allow_url_fopen'.
--Andy
More information about the talk
mailing list