Results 1 to 5 of 5

Thread: PHP 6 Safe Mode is OFF

  1. Mar 22nd, 2008, 03:56 PM #1
    kashi50
    kashi50 is offline

    Thread Starter
    New Member
    Join Date
    Mar 2008
    Posts
    13

    PHP 6 Safe Mode is OFF

    Hi there, As we know that in PHP 6 Safe Mode is Off, and cant be turn on...it means hacker can upload shell script on server....any idea how to secure it or any alternative solution of Safe Mode to secure share-hosting ...?
    Reply With Quote Reply With Quote
  2. Mar 22nd, 2008, 04:27 PM #2
    visualAd
    visualAd is offline
    VBA Nutter visualAd's Avatar
    Join Date
    Apr 2002
    Location
    Ickenham, UK
    Posts
    4,906

    Re: PHP 6 Safe Mode is OFF

    Write secure code. Safe mode was just an excuse not to and lured developers into a false sense of security. That is why it has been removed. open_basedir still exists though.
    Last edited by visualAd; Mar 22nd, 2008 at 04:35 PM.
    PHP || MySql || Apache || Get Firefox || OpenOffice.org || Click || Slap ILMV || 1337 c0d || GotoMyPc For FREE! Part 1, Part 2

    | PHP Session --> Database Handler * Custom Error Handler * Installing PHP * HTML Form Handler * PHP 5 OOP * Using XML * Ajax * Xslt | VB6 Winsock - HTTP POST / GET * Winsock - HTTP File Upload

    Latest quote: crptcblade - VB6 executables can't be decompiled, only disassembled. And the disassembled code is even less useful than I am.

    Random VisualAd: Blog - Latest Post: When the Internet becomes Electricity!!

    Spread happiness and joy. Rate good posts.
    Reply With Quote Reply With Quote
  3. Mar 22nd, 2008, 04:33 PM #3
    visualAd
    visualAd is offline
    VBA Nutter visualAd's Avatar
    Join Date
    Apr 2002
    Location
    Ickenham, UK
    Posts
    4,906

    Re: PHP 6 Safe Mode is OFF

    And from the shared server point of view which was the original intention of safe mode. PHP should not be used to enforce things like environment variable visibility, execution directories and file open masks.
    PHP || MySql || Apache || Get Firefox || OpenOffice.org || Click || Slap ILMV || 1337 c0d || GotoMyPc For FREE! Part 1, Part 2

    | PHP Session --> Database Handler * Custom Error Handler * Installing PHP * HTML Form Handler * PHP 5 OOP * Using XML * Ajax * Xslt | VB6 Winsock - HTTP POST / GET * Winsock - HTTP File Upload

    Latest quote: crptcblade - VB6 executables can't be decompiled, only disassembled. And the disassembled code is even less useful than I am.

    Random VisualAd: Blog - Latest Post: When the Internet becomes Electricity!!

    Spread happiness and joy. Rate good posts.
    Reply With Quote Reply With Quote
  4. Mar 22nd, 2008, 05:02 PM #4
    kashi50
    kashi50 is offline

    Thread Starter
    New Member
    Join Date
    Mar 2008
    Posts
    13

    Re: PHP 6 Safe Mode is OFF

    So what u people suggest me that if we are using php 6 and running a shared hosting web, then can i use Mod-Php and FastCGI, because i wana use PHP 6 and dont want to allow anyone to upload the shell script like r57 etc. or if u have any other best solution please?
    Reply With Quote Reply With Quote
  6. Mar 22nd, 2008, 06:55 PM #5
    visualAd
    visualAd is offline
    VBA Nutter visualAd's Avatar
    Join Date
    Apr 2002
    Location
    Ickenham, UK
    Posts
    4,906

    Re: PHP 6 Safe Mode is OFF

    You need to ensure that the web server is running with the appropriate permissions. My advice to you is that if you are running a shared server, you ensure that all your users who have SSH access are chrooted into their home directory and that you run PHP as a CGI using the suexec helper which is a safe way of executing CGI scripts as a different user.

    With regards to uploading shell scripts; you can prevent the execution of files at the kernel level when the file system is mounted. However, if your users and your web applications have non-root access it will be difficult for it do much damage if it were executed.

    If you are running a shared server you will never be completely immune to security flaws because your users will be uploading code. For example someone could cause a denial of service on the host by running a script which enters an infinite loop. So in addition you need to ensure your fair use policy (which I am sure you have ) is robust enough to be able to deal with the un-secure code yourself with and those who install and run it.

    The most damage any process run by a user on a shared host should EVER be able to do is delete all the files in that users document root.
    PHP || MySql || Apache || Get Firefox || OpenOffice.org || Click || Slap ILMV || 1337 c0d || GotoMyPc For FREE! Part 1, Part 2

    | PHP Session --> Database Handler * Custom Error Handler * Installing PHP * HTML Form Handler * PHP 5 OOP * Using XML * Ajax * Xslt | VB6 Winsock - HTTP POST / GET * Winsock - HTTP File Upload

    Latest quote: crptcblade - VB6 executables can't be decompiled, only disassembled. And the disassembled code is even less useful than I am.

    Random VisualAd: Blog - Latest Post: When the Internet becomes Electricity!!

    Spread happiness and joy. Rate good posts.
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules


Click Here to Expand Forum to Full Width