Results 1 to 6 of 6
  1. #1
    Join Date
    May 2004
    Mountain View, CA

    PHP Security Issues

    An interesting article:

    What's your experience?
    DreamLogic Cult Film and Music Reviews
    STOPware - Visitor Management solutoins

  2. #2
    There are ways to have PHP scripts execute using the userid of the file containing the script. This makes PHP scripts as secure as CGI scripts, and it can solve the problem; however, it is places a large load on the web server and few web hosting providers do this.

    Servers running cPanel have this built in (but not enabled by default):
    "Php's open_basedir protection prevents users from opening files outside of their home directory with php."
    Michael @ Qualserv Networks - quality hosting since 1998!

    Bringing Web Hosting to a Personal Level

  3. #3
    Join Date
    Dec 2003
    Vancouver BC, eh?
    I have seen the same thing done with an app on a windows server. The person opened a temporary shell, that executed any command under iis server permissions, then killed the shell after output. Showed me all sorts of neat information about the server including who administrated it.

    This isn't just a php thing.

    If you are on a shared hosting environment your data is not 100% safe at anytime. It is pretty simple for another user on that system to explore the server using a simple php script that acts like a command shell under the apache user.
    If you have an account that requires the utmost security at all - charge them an arm and a leg and go for a dedicated server to run your accounts on.
    From the outside it is up to the developer to not create exploitable scripts.

  4. #4
    Actually happened on my server, but we got to it in less than 20 minutes :-) Fixed that hole...

    The things people can do these days...

  5. #5
    The guy don't know what he's doing. To prevent the very issue he said, install Phpsuexec. Cpanel have a script (/scripts/easyapache) that can do it for you easily if you don't know how to do it.

    Also you can enable open_basedir, safe_mode, disable some functions, and so on.

    Also by default Cpanel now set the home and user directories as well the the web root directory at a relatively secure settings so you shouldn't be able to access it anyway.

    Combined together, it's fairly secure and definitely address the issue mentioned in that thread (by a guy who obviously don't know what's he's talking about)
    Like us on Facebook to qualify for discounts!
    Offering: | Internap FCP Bandwidth! | Rebootless Kernel Updates! | Magento Optimized Hosting | Wordpress Hosting |
    Services: | Managed Multiple Cores 64bit Servers | Server Management |

  6. #6
    Join Date
    Mar 2003
    California USA
    to further prevent web attacks, theres hardened php (its a patch), mod_security ( )
    Steven Ciaburri | Proactive Linux Server Management -
    Managed Servers (AS62710), Server Management, and Security Auditing.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts