The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How do you have your PHP secured?

Discussion in 'General Discussion' started by summy, Jun 1, 2004.

  1. summy

    summy Active Member

    Joined:
    Jan 14, 2004
    Messages:
    34
    Likes Received:
    0
    Trophy Points:
    6
    I would appriciate it if you guys could see if you have similar problems....

    Im running PHP 4.3.6 with open_basedir and PHPsuexec. Safe mode is Off. No functions are disabled using the "disable_functions" directive in the php.ini file. The reason for this is because when running PHPsuexec a customer can place a php.ini file in their public_html directory and override *ANY* setting, including Safe Mode.

    A customer could use:
    Code:
    <?php include $_REQUEST['file'] ?>
    
    Where file = /etc/passwd

    This can be used to view other files anywhere on the system, if they know the exact location and if ANYBODY has permission to read it.

    They could also use exec, shell_exec, proc_open, and all those other functions we like to disable (simply because they can be overridden using a php.ini file locally).

    Safe Mode:
    So not having safe mode On seems very bad indeed. But then safe mode will break scripts like osCommerce (unless anyone else has successfully enabled safe mode and oscommerce still works, please let me know).

    PHPsuexec:
    PHPsuexec is nice because it tells us who is abusing resources, doesn't allow us to open other users files etc (if permissions are set correctly).

    Open_basedir:
    Is this the php value as set in the php.ini file? if so this is easily overridden again when using phpsuexec and a local php.ini file. My phpinfo pages report "no value" under this heading. Is that not right? should each user have their homedir specified?

    Ideally I'd like all 3 of these security measures in place, but can't have safe mode and phpsuexec running together, its gotta be one or the other.

    How do you guys have your PHP configured? I'd be interested to know.

    Cheers

    Matt.
     
    #1 summy, Jun 1, 2004
    Last edited: Jun 1, 2004
  2. bmcpanel

    bmcpanel Well-Known Member

    Joined:
    Jun 1, 2002
    Messages:
    546
    Likes Received:
    0
    Trophy Points:
    16
    PHP Safe Mode does break scripts. It is akin to buying a new car, but forgoeing a lot of the high-end options. Just doesn't make sense, aside from the security it provides.
     
  3. Dillard

    Dillard Well-Known Member

    Joined:
    Feb 26, 2003
    Messages:
    114
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    The Netherlands
    This is been taken care of in the httpd.conf
     
Loading...

Share This Page