PHP Security

Billy Bandit · **PHP Security -** 04-01-2003, 10:56 AM

I came across this article that discusses an ISPs security with regard to common apps such as forums, galleries, etc:
http://gallery.menalto.com/modules.p...rder=0&thold=0

Is Page-Zone susceptible to this problem? If so, what are the plans to bridge this security gap?

Thanks!

srinivas · 04-01-2003, 05:38 PM

the problem will exist on all servers that host multiple sites. i.e., same web server process / id

srs

Billy Bandit · 04-01-2003, 06:05 PM

Sure, but according to the article there are ways to eliminate that problem. I'd like to know if Page Zone has done so or if Page Zone is planning to.

srinivas · 04-01-2003, 07:47 PM

i don't think page-zone uses either chroot or suexec .

about plans - that's for jim to answer.

srs

prince · 04-02-2003, 12:23 AM

I've had a lot of host over the years and IMHO - it's impossible for them to keep up with ALL the possible security risk – for all the 1000's of free scripts.

Of course, they could turn off all the Power we pay for and then be like the big ISP hosting servers (Earthlink, etc) i.e. where you can not run customized scripts.

To me the security of these cheap/free scripts is more in the hands of the author of the script – and you and I (all users). The people writing the scripts must keep up and include patches / upgrades as security holes are found. But some of them would rather blame the ISP/host when there is a security risk.

BTW: I have to admit that gallery is one of the better ones about having features that help prevent security problems. They check permissions for config.php, .htaccess and Setup after you do a manual install and remind you to reset them (make them secure). Most other scripts do not do this – they just have a readme file telling you what permissions to set for security.

I keep up with patches / bug announcements of several scripts that I install for other people. And to me the biggest security risk is the user – who does not check for patches / updates for scripts he installed.

IMHO: The user should not expect the host/ISP to be able to keep up with the security risk in all the scripts. Otherwise, the host will just have to start turning off features that will make some scripts useless. I've already had trouble with a former host changing the $env variable settings that shut down my custom error log that I use to watch for hacker 'probes'.

I for one - think Page-zone has a good balance of Power and Security. And I'm willing to take the responsibility of keeping up with the patches / upgrades for the scripts I manage.

What I do expect from a host like Page-zone is that they keep up with all the patches / bug fixes / upgrades / security risk for the scripts they run (apache, ftp, mail, etc). For example, I expect them to be aware of security patches / upgrades for things like Sendmail (which Now has another security risk : ( : ( Beyond that I think we (the users on a shared server) have to take some responsible for the many many scripts we use.

Sorry – end of ramble – I just think it's our responsibility to manage scripts we use on a shared server. And I would hate to see Page-zone start shutting off features every time someone writes a script that needs a particular setting. I write a few very simple php scripts and I sure don't expect Page-zone to cover my behind : )

Jim · 04-02-2003, 04:38 AM

Yes, we use suEXEC. Gallery will not work in safe mode though. A lot of php scripts will not work in safe mode.

07-30-2003, 05:16 PM

Jim (or someone else),

Not to beat a dead horse, but...

I'm moving my website away from it's current location, and have run into a problem with the first place I tried to move it to. They were running PHP in safe-mode and many functions that my site needs were disabled, such as fsocketopen, mail, opendir, readdir, closedir, just to name a few. They also appeared to have the register_globals directive off.

Now some of these I can alter, such as changing fsocketopen to fopen, or even some other like-command, but the others are essentially required by my site.

What's the status of your PHP configuration? Would I run into the same problems here?

For those who are familiar with it, my website is based on PHP-Nuke, and customized from that.

Thanks in advance...