Re: advice request for shared hosting and security issue
On 06/24/2013 01:58 PM, Marek Podmaka wrote:
> As for minimum you should set open_basedir restriction, that should
> prevent internal php functions to read other files.
Excuse me to say it this way but ... NO !!! :)
Seriously, open_basedir has been deprecated for *years* now, and is
totally removed from latest versions. Also, just have a look into
/usr/share/doc/php5/README.Debian.security:
Most specifically, the security team will not provide
support for flaws in:
[...]
- vulnerabilities involving any kind of safe_mode or open_basedir
violation, as these are security models flawed by design and no longer
have upstream support either.
> But of course it
> won't help if they will use system utilities viac exec()/system() php
> calls. You can disable these functions in php using the suhosin
> extension (maybe also the backtick function/operator can be disabled).
> And enable exec only for vhosts (or individual scripts) which need
> them. It's not bulletproof, but better than nothing.
Disabling functions is *not* the way to go. Not only what you wrote
isn't bulletproof, but it is also a completely wrong and dangerous
advice, in my opinion, and it's even worse than nothing: it may give the
impression that things are safe, when they are not, especially if you
enable some exec functions for some sites.
Thomas
Reply to: