[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Possible release note for systems running PHP through CGI.



On Mon, Aug 20, 2012 at 06:40:54PM +0200, Marco d'Itri wrote:
> On Aug 20, Wouter Verhelst <w@uter.be> wrote:
> 
> > > But some sites accept file uploads with arbitrary names, perhaps
> > > expected to be a JPEG image, but actually named bar.php.jpeg and
> > > containing malicious server-side PHP which they could execute from the
> > > browser.
> > Don't Do That Then(TM).
> I see that you are not in the web hosting business. <g>

Nope. But we can't do the job of a person running a shared hosting
webserver, anyway, because the security issues in that area of business
are so intense that people doing shared hosting for random crap code of
their customers need to review and overhaul the default configuration in
minute detail anyway.

Again, if there's something we can do to make their jobs easier without
impacting a significant amount of our other users, I'm all for it. I
don't think this particular bit qualifies, however.

> Millions of web sites do this, so now matter how a bad practice this is 
> (and I agree that it is) we need to do everything possible to work 
> around insecure web sites.

Yes, you (a person who maintains servers in a shared hosting business)
need to do that. We (Debian) have different priorities, however.

> Also, we are talking about PHP: if educating developers were possible, 
> they would not use PHP in the first place.

*g*

[...]

-- 
The volume of a pizza of thickness a and radius z can be described by
the following formula:

pi zz a


Reply to: