RE: [PHP-DB] Security Issues
> so I've been doing a little thinking about web server security.. > > #1. Since all files on the web are 644, what is to stop someone on the > same server from copying your files to their own directory? > (specifically your database connection info) > #2. if a folder if 777, what's to stop someone from writing to that > folder? Virtual Servers http://searchnetworking.techtarget.com/sDefinition/0,,sid7_gci213304,00.html People can only see their own directories and files. PHP Safe Mode http://us2.php.net/features.safe-mode Check the section titled Safe Mode in the php.ini file. It has settings that help lock things down. Apache open_basedir Also detailed in the PHP Safe Mode documentation. There are a few other things that can be done to limit the scope of access, but all of it really depends on how the server is setup. I've seen many situations where hosting providers set accounts up with basic Virtual Hosting without doing any sort of lock down. If you're not careful and chose one of those providers, then you're definitely open to the sort of security breach that you've described. -Ed -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Security Issues
Jonathan Haddad wrote: so I've been doing a little thinking about web server security.. #1. Since all files on the web are 644, what is to stop someone on the same server from copying your files to their own directory? (specifically your database connection info) #2. if a folder if 777, what's to stop someone from writing to that folder? Answer to both questions is a combination of SAFE_MODE and open_basedir restrictions among other things discussed on the manual pages for those functions / features. If those restrictions are not in place, then nothing is stopping someone on the same server to read/write in your filespace with PHP. -- ---John Holmes... Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/ php|architect: The Magazine for PHP Professionals – www.phparch.com -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] Security Issues
so I've been doing a little thinking about web server security.. #1. Since all files on the web are 644, what is to stop someone on the same server from copying your files to their own directory? (specifically your database connection info) #2. if a folder if 777, what's to stop someone from writing to that folder? Jonathan Haddad -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Security Issues
From: "Galbreath, Mark A" <[EMAIL PROTECTED]> > Does anybody know if the security issues outlined in > > http://www.securereality.com.au/archives/studyinscarlet.txt > > are still salient or not? My boss wants a technical document outlining the > security risks of using PHP in an attempt to get it approved for general use > by Security. I just bought Mohammed Kabir's "Secure PHP Development" (Wiley > 2003) but would like some background white papers before delving into it. > To that end, I'm using Google, but would appreciate references to any recent > documents covering the subject. Yes, they are still relevant for the most part. There have been actions taken to reduce some of them, though, like having register_globals OFF by default, the move_uploaded_file() function, etc. I would contend that these "security issues" are the fault of bad programming, though, not the language. Some could argue that the langauge should do more to get rid of these issues by default, though. I can't say that I'd disagree with that, but I'd still hold the programmers responsible instead of the language. Bottom line, if you've actually read that page and implement what it says, then you'll be fine. You can write completely safe programs without taking any of the "protective" measures outlined on the site, though. You just have to know what you're doing. ---John Holmes... -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] Security Issues
Does anybody know if the security issues outlined in http://www.securereality.com.au/archives/studyinscarlet.txt are still salient or not? My boss wants a technical document outlining the security risks of using PHP in an attempt to get it approved for general use by Security. I just bought Mohammed Kabir's "Secure PHP Development" (Wiley 2003) but would like some background white papers before delving into it. To that end, I'm using Google, but would appreciate references to any recent documents covering the subject. tia, Mark -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php