[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: advice request for shared hosting and security issue

On 06/24/2013 01:58 PM, Marek Podmaka wrote:
> As for minimum you should set open_basedir restriction, that should
> prevent internal php functions to read other files.

Excuse me to say it this way but ... NO !!! :)

Seriously, open_basedir has been deprecated for *years* now, and is
totally removed from latest versions. Also, just have a look into

Most specifically, the security team will not provide
support for flaws in:


- vulnerabilities involving any kind of safe_mode or open_basedir
  violation, as these are security models flawed by design and no longer
  have upstream support either.

> But of course it
> won't help if they will use system utilities viac exec()/system() php
> calls. You can disable these functions in php using the suhosin
> extension (maybe also the backtick function/operator can be disabled).
> And enable exec only for vhosts (or individual scripts) which need
> them. It's not bulletproof, but better than nothing.

Disabling functions is *not* the way to go. Not only what you wrote
isn't bulletproof, but it is also a completely wrong and dangerous
advice, in my opinion, and it's even worse than nothing: it may give the
impression that things are safe, when they are not, especially if you
enable some exec functions for some sites.


Reply to: