Would it help to add a disabled_functions list in php.ini? Unless these functions are needed by Mozdev internal scripts, disabling these might help:
* system * exec * shell_exec * proc_open * passthru * mysql_list_dbs * dl * leak (I'm not sure if this is still available in PHP) These could also be set for greater security (if needed): * openlog * syslog * symlink * link * apache_child_terminate * apache_note * apache_getenv * apache_setenv * virtual This setting can only be set in php.ini, not httpd.conf or .htaccess or ini_set(). More info: http://php.net/manual/en/ini.core.php#ini.disable-functions There may be other php.ini settings that could be set (like open_basedir: http://www.php.net/manual/en/ini.core.php#ini.open-basedir) for greater security. --Jake P.S. PHP is still disabled for the mp4downloader project. I sent an email to the sysadmin list, but nothing has changed yet. I don't use PHP much on this site except to redirect users to Drupal (pretty important, since most people go to mp4downloader.mozdev.org instead of mp4downloader.mozdev.org/drupal) and to handle changelog access from testing versions of my add-on (not having PHP is really messing this up, but it isn't too important because it is just a testing version). P.S. (again): I can still run PHP code in local.conf, even though PHP is disabled in my project. I guess this is necessary for certain settings and stuff, but it also opens up a security hole. On 09/29/2010 09:48 AM, Pete Collins wrote: > > On 9/29/10 5:32 AM, Robert Kaiser wrote: >> >> I guess that the particular setup of automated PHP stuff on mozdev >> must have some problem. Neither the operating system nor PHP by >> itself are security risks, or else they would not both be in use in >> highly attack-prone setups. I guess the particular code mozdev uses >> for automating a number of things has a problem and would need a >> security audit, which is not so easy when you have a resource >> shortage like this project does. >> > > The security risk is that project owners having access to php and the > write access to the database ... > > For the 9 years Mozdev has been up, everyone has operated and used > these resources responsibly. > > This issue needed to be addressed and so now we are addressing it. > > --pete > > -- Pete Collins - Founder, Mozdev Group Inc. > www.mozdevgroup.com > Mozilla Software Development Solutions > tel: 1-719-302-5811 > fax: 1-719-302-5813 > > _______________________________________________ > Project_owners mailing list > Project_owners@mozdev.org > https://www.mozdev.org/mailman/listinfo/project_owners > >
_______________________________________________ Project_owners mailing list Project_owners@mozdev.org https://www.mozdev.org/mailman/listinfo/project_owners