[21378] in bugtraq
Re: [BUGTRAQ] php breaks safe mode
daemon@ATHENA.MIT.EDU (Sander Steffann)
Fri Jul 6 15:05:37 2001
Message-ID: <000d01c105f5$2ff757f0$8e01a8c0@OFFICE>
From: "Sander Steffann" <steffann@nederland.net>
To: "Steffen Dettmer" <steffen@dett.de>, <bugtraq@securityfocus.com>
Date: Fri, 6 Jul 2001 10:25:13 +0200
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Hi,
> Usually the Webserver is able to read the sources of the PHP
> scripts. PHP scripts may include passwords for database access.
> Since PHP is usually mod_php and not suexec'd, this seems to be a
> common problem. With account to such databases really important
> damage could be done!
It's possible to protect yourself against this. PHP has an so-called
open_basedir restriction, with which you can specify the directories that a
script is allowed to access. You can set a different restriction for every
VirtualHost.
Sander.
