PHP - shared hosters, take note. - SANS Internet Storm Center

SANS ISC InfoSec Forums

PHP - shared hosters, take note.
PHP is a popular server side scripting language. PHP's (security) settings are typically controlled from a php.ini file. This allows the system administrator to control settings such as such as safe_mode and open_basedir. People managing shared hosting machines often control the settings on a more granular level in the apache configuration (httpd.conf) as they can set it there per directory and allow for the different hosted sites to have different settings. This latter method of limiting scripts can be overcome from inside the scripts themselves. Details are trivially available. So that leaves: Control PHP settings from the php.ini file if possible; If you are a shared hosting provider: check the CVS repository, reportedly the needed fixes have been checked in (unconfirmed); Cross your fingers and wait for the next release of PHP (the current releases are reportedly affected). CVE-2006-4625 -- Swa Frantzen -- Section 66	Swa 760 Posts Sep 13th 2006
Thread locked Subscribe	Sep 13th 2006 1 decade ago