Wednesday, February 07, 2007

Several safety issues in php

(1) In PHP there is now a very easy mechanism to disable the capabilityto file-write. This is a great idea especially if your site is entirely database-driven, inwhich case you don’t have any legitimate need to write to the filesystem with PHP anyway.To disable file writing, simply add fwrite to the list of disabled functions in php.ini:
disabled_functions = “fwrite”
If you don’t use php.ini and need to set this value in Apache httpd.conf, remember that it requires a php_admin_value flag (rather than php_value):
php_admin_value disabled_functions=”fwrite”

(2) Many of functions related to file operations are dangerous. Because they duplicate functions that can and should be performed from the local system, they can be a cracker’s bonanza without providing much value to legitimate users. Strongly consider disabling them using PHP’s disable_functions directive!

(3) Remember that although the Web server (and client-side languages such as JavaScript) canonly act on files located under the document root, PHP can access files at any location in the file system—including those above or entirely outside the Web server document root—aslong as the file permissions and include_path are set correctly. For instance, if your Webserver document root is located at /usr/local/apache/htdocs, Apache will be able toserve only files from this directory and its subdirectories, but PHP can open, read, and writeto files in /usr/local, /home/php, /export/home/httpd, or any other directory thatyou make readable and includable by the PHP and/or Web server user.

No comments: