[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] php security
- Subject: Re: [cobalt-security] php security
- From: "Jelmer Jellema" <cobalt@xxxxxxxxxxxxxxx>
- Date: Tue, 26 Mar 2002 12:03:43 +0100
- Organization: Spin in het Web (www.spininhetweb.nl)
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Hi Matt,
> P.S. I believe that this is a common problem, even among cgi scripts. You
> can use the CGI vesion of PHP and benefit from cgi-wrap which is installed
> on the server. However, I don't write CGI and therefore only know that
> cgi-wrap supposedly increases security of CGI scripts. I don't know if
this
> problem is fixed there or not.
Well, if you let your users create .cgi scripts they can use any language
they want, as long as your server can run it. So they could even use
binaries. But anyway, cgi-wrap only makes sure the script is run under the
priveleges of the site-owner. Any user can read /etc/passwd, so any cgi-wrap
script can do this also.
I'm not a PHP-user myself, but I would find it strange when there is no
possibilty in php to run server-side scripts from a .php file. (In my
O'reilly php pocket ref I see a function called exec, and one called
escapeshellcmd). So even with open_basedir on on could do a exec(/bin/cat
/etc/passwd) or exec(/bin/ls /) or something.
Ofcourse you could also lock those calls. But this is useless if you do
allow .cgi scripts.... If you allow scripts, you should secure the server as
if you give shell-access (wether you do that or not). So the question is:
what can my user find out about the system, how threatening is this, should
I lock this information or should I make sure they cannot use it.
Jelmer