Most of the time local exploits are not as bad as it seems. You can do things in plain PHP witch will just hang the server, like make a script that uses a ton of memory or opens a lot of files, does spam, etc. It's a programming language, it's job to execute scripts (now days a size of a good application) and the person who wrote it can do a ton of things wrong. Without the proper installation and sandboxing you probably will end up in a situation when someone just abuses your servers using too much resources, not actually someone just hacking in due to an exploit. Many exploits affect just a bunch of guys using some really specific things - most of the wide used things are tested and rarely contain an exploit (and these are usually fixed ASAP). The fix usually is trivial - add a check in the code and you are safe. And yes, you want security - run your own VM or have a jail/chroot - it's the only way to be 100% sure. And don't forget to update regularly, not just PHP, but the whole stack (and believe me - leave the update process for a year and it can be a real pain in the ass).
-- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
