[nycbug-talk] Searching for suspect PHP files...

Charles Sprickman spork at bway.net
Thu Mar 12 00:50:59 EDT 2009


On Wed, 11 Mar 2009, Marc Spitzer wrote:

> The thing is most of your exposure is your php website, how are you
> managing that?  Much of the php code out there was not written by
> experts from MIT but by people who code in ee, think notepad but
> worse, and have never had any formal training in CS/Programming.  Are
> you using any of their code?  And I do not mean you but the modules
> you may pull in from ports or the internet.

I am very new to php "security", but even this little doc from the Joomla 
site has what appear to be some very good suggestions to eliminate some of 
the more common threats:

http://docs.joomla.org/Security_Checklist_2_-_Hosting_and_Server_Setup#Configuring_PHP

I found this comment rather interesting:

-----
Don't use PHP safe_mode
Avoid the use of PHP safe_mode. This is a valid but incomplete solution to 
a deeper problem and provides a false sense of security. See the official 
PHP site for an explanation of this issue.
-----

The "open_basedir" and "disable_functions" directives were new to me. 
They both look like they would be very sensible things to configure on any 
php installation.

Charles

> night,
>
> marc
> -- 
> Freedom is nothing but a chance to be better.
> Albert Camus
>



More information about the talk mailing list