Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: PHP - shared hosters, take note. SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
PHP - shared hosters, take note.
PHP is a popular server side scripting language.

PHP's (security) settings are typically controlled from a php.ini file. This allows the system administrator to control settings such as such as safe_mode and open_basedir.

People managing shared hosting machines often control the settings on a more granular level in the apache configuration (httpd.conf) as they can set it there per directory and allow for the different hosted sites to have different settings.

This latter method of limiting scripts can be overcome from inside the scripts themselves. Details are trivially available.

So that leaves:
  • Control PHP settings from the php.ini file if possible;
  • If you are a shared hosting provider: check the CVS repository, reportedly the needed fixes have been checked in (unconfirmed);
  • Cross your fingers and wait for the next release of PHP (the current releases are reportedly affected).
CVE-2006-4625

--
Swa Frantzen -- Section 66 
Swa

760 Posts

Sign Up for Free or Log In to start participating in the conversation!