Re: PHP security (or the lack thereof)

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: PHP security (or the lack thereof)
From: flaps@xxxxxxxxxxxxxxx (Alan J Rosenthal)
Date: Mon, 19 Jun 2006 19:41:48 -0400
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Sender: flaps@xxxxxxxxxxxxxxxxxxxx

>For example, allowing users to upload and execute any C executable file to a
>public web server can prove to be quite dangerous.
>
>I think the same can be said for allowing PHP on a public web server, you
>have just allowed anyone with a website to compromise the entire machine.

I think the relevant maxim is "It's possible to write PHP in any language"

...
>As a threat to the internet in whole, don't you think these public php
>enabled web servers pose an high risk?

I think that any ability of the (l)users to expose executables as web
services threatens the security of the web server machine, irrespective of
programming language.  (But I don't see how it threatens "the internet" --
they can already connect their own misconfigured machine to the net directly)

Follow-Ups:
- Re: PHP security (or the lack thereof)
  - From: Geo.

Prev by Date: Eduha Meeting php shell upload Vulnerabilities
Next by Date: Re: PHP security (or the lack thereof)
Previous by thread: Re: PHP security (or the lack thereof)
Next by thread: Re: PHP security (or the lack thereof)
Index(es):
- Date
- Thread