[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] php security
- Subject: Re: [cobalt-security] php security
- From: "Matthew Nuzum" <cobalt@xxxxxxxxxxxxx>
- Date: Mon, 25 Mar 2002 21:58:17 -0500
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
> This is a serious issue... I have a php script wich lets me navigate the
> entire hard disk in a cobalt raq3. I have sent it to cobalt security
> people... but they just didn´t say a word about it
That's correct. In the release notes for 4.1, I got the strong impression
that they hope to migrate to a more secure default config. But because many
(most) developers are used to the previous, relaxed configuration, they are
going to do it over a couple of versions.
They say that 4.2 will by default come with many of the security features
enabled. If you read through the documentation on the PHP site, you will
see that since php4 was released, the emphasis on security has greatly
increased with each new version.
There is a lot of documentation there on how to tighten up the basic
install. I strongly recommend reading it. www.php.net
P.S. I believe that this is a common problem, even among cgi scripts. You
can use the CGI vesion of PHP and benefit from cgi-wrap which is installed
on the server. However, I don't write CGI and therefore only know that
cgi-wrap supposedly increases security of CGI scripts. I don't know if this
problem is fixed there or not.
Matt Nuzum