On Sat, Mar 19, 2005 at 09:48:17PM +0000, Steve Kemp wrote:
>
> There are three types of attack that come up often
> in the PHP world:
(...)
BTW, I did a research on PHP security a while back and ended up providing a
php.ini.paranoid configuration file in php4 (see #274374). You might want
to add these to your bookmarks:
http://phpsec.org/ (PHP Security Consortium site)
http://www.php.net/features.safe-mode (Safe mode features of PHP)
http://shiflett.org/archive/81 (Chris Shiflett's talks on PHP security)
http://www.phpsecure.info/ (PHP secruity site)
This is the list of functions that I disabled in the PHP paranoid
configuration:
disable_functions = dl, phpinfo, system, mail, include, shell_exec, exec,
escapeshellarg, escapeshellcmd, passthru, proc_close, proc_open,
proc_get_status, proc_nice, proc_open, proc_terminate, popen, pclose,
chown, disk_free_space, disk_total_space, diskfreespace, fileinode,
max_execution_time, set_time_limit,highlight_file, show_source
If you are going to start an effort on auditing PHP applications you might
want to talk to Chris Shiflett (shiflett AT php.net), who is an active
member of the OWASP project (as I am) and has been spearheading some of the
efforts in improving the security of PHP projects out there.
Regards
Javier
signature.asc
Description: Digital signature
|
