ID: 32421
User updated by: ricardi at gmail dot com
Reported By: ricardi at gmail dot com
Status: Open
Bug Type: Documentation problem
Operating System: *nix (Tested on Linux)
PHP Version: 4.3.10
New Comment:
Thank you. Please, the banner could be placed at this chapter:
Chapter 42. Safe Mode
Under the section:
safe_mode_exec_dir
I think that the problem is big enough to receive a big warning too.
Others chapters like:
IV. Security
XXXI. Program Execution Functions
... could be helpfull too.
The banner contents would be something like:
"The PHP Engine (and nobody) can't take care of your children. Not
trusteds binaries can be dangerous to your system. In Mass VirtualHost
machines, we suggest to disable exec functions".
Thanks again!
Previous Comments:
------------------------------------------------------------------------
[2005-03-26 15:01:15] [EMAIL PROTECTED]
Warning should go to the docs... (if it's not there yet)
------------------------------------------------------------------------
[2005-03-24 00:21:50] ricardi at gmail dot com
Ok. So, even knowing this, there is no banner with a warning about this
problem? Please, just to close this "bug", put this warning when talking
about safe_mode_exec_dir. When you are using PHP in a Hosting Provider
with thousand domains, the banner CERTAINLY would be helpfull. I've
almost had 12000 defaces because I didn't be advised about
sefa_mode_exec_dir bypass. Please, think about it!
Thank you!
------------------------------------------------------------------------
[2005-03-23 16:41:51] [EMAIL PROTECTED]
>The PHP engine can't not control de children created by the
>exec functions?
exactly.
and nobody can.
------------------------------------------------------------------------
[2005-03-23 16:38:58] ricardi at gmail dot com
The PHP engine can't not control de children created by the exec
functions? This could be a great security enhancement, since that some
php applications are suffering from xploits that use this technic. I've
already disable this functions now, but our clients are unhappy with
this limitations.
------------------------------------------------------------------------
[2005-03-23 08:23:53] [EMAIL PROTECTED]
Disable system() and other exec functions then.
PHP is unable to prevent you to shoot your leg or to format harddrive
with a binary called by a binary.
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/32421
--
Edit this bug report at http://bugs.php.net/?id=32421&edit=1
