Cross Virtual Host Cookie Theft

Friday, December 15. 2006

Friday, December 15. 2006



Within a shared hosting environment it is sometimes quite often possible to bind yourself to some high TCP port and accept incoming connections. Sometimes this is possible because you also get a shell account on the box and sometimes because dangerous PHP functions like stream_socket_server() are not disabled in the configuration. Unfortunately the ability to bind yourself to a port and receive connections is a threat to webapplications installed on different virtual hosts on the same IP, even if other security measures in place, like tight filesystem permissions or executing PHP script with the permission of the owner.

Consider the following PHP script, that will accept incoming connections on port 7778 and print out the connecting user's IP and the content he sends until an empty line.

<?php
  $socket = stream_socket_server("tcp://0.0.0.0:7778", 
                                   $errno, $errstr);
  if (!$socket) {
    echo "$errstr ($errno)<br />\n";
  } else {
    while ($conn = stream_socket_accept($socket)) {
      echo "<h3>".stream_socket_get_name($conn, true)
               ."</h3><br />\n";
      do {
        $line = fgets($conn);
        echo $line . "<br />\n";
        ob_flush(); flush();
      } while (!feof($conn) && strlen(trim($line))>0);
      fclose($conn);
    }
    fclose($socket);
  }?>

Now guess what happens when you connect with your browser to http://my.bookshop.shop:7778/ which happens to share the same IP with your script. The browser will connect to the port under your control and send it's HTTP headers to your script. Unfortunately this HTTP headers will also contain the cookie stored for http://my.bookshop.shop/ because browsers do not save the port number of the HTTP server that orginally set the cookie. This enables anyone on the same IP with the ability to accept connections to steal cookies from other people's webapplications.


A trivial but annoying trick. And considering how many people are vulnerable to URL Include vulnerabilities you can be pretty sure that the majority of PHP5 hosting servers will allow stream_socket_server().

Posted by Stefan Esser in Security, PHP at 01:59
Comments (40)
Link to this post


Comments
Display comments as (Linear | Threaded)

#1 Roxis ()
so, where i can get the _full_ list of dangerous PHP functions ? )
posted on Thursday, December 14. 2006
#2 Cristian Rodriguez ()
hrmmm.. the danger of this function wasn't in my books ;-) thanks Stefan.
posted on Thursday, December 14. 2006
#3 Stefan Esser wrote (Link) ()
A _full_ list will be part of the Suhosin documentation in the future. I am currently 125% loaded with work. Somewhen in January I will release more documentation.
posted on Thursday, December 14. 2006
#4 Ilia Alshanetsky wrote (Link) ()
How is this different from using a small binary to bind to a non-priveleged port? It would be trivial to write a small daemon to bind to arbitrary ports and write input into a text file of choice.
posted on Thursday, December 14. 2006
#5 Stefan Esser wrote (Link) ()
The difference is that dangerous functions like stream_socket_server() are often NOT disabled, because PHP comes with about a million dangerous functions.

But the effect would be the same with a binary. That's why I said sometimes you can do this because you have shell access. (And the ability to execute a binary of your choice is shell access.)
posted on Thursday, December 14. 2006
#6 Ilia Alshanetsky wrote (Link) ()
PHP does not have even 10000 functions, so I fail to see where did you find one million of them ;-). Shell access it not necessary, you can supply a binary via FTP and have it be loaded via a cronjob (something many ISPs provide). Another way is to setup the binary as a procmail handler and have it be started that way.

As far as binding to sockets most programming languages provide such functionality stock, I fail to see what's so special about the fact that PHP offers it as well.

If anything I'd be complaining to browser makers who fail to include port in the cookie hash and happily disclose sensitive data to other parties.
posted on Friday, December 15. 2006
#7 Stefan Esser wrote (Link) ()
The moment you can execute arbitrary binaries you have shell access.
It doesn't matter how you do that.

There are a bunch of PHP functions that should not be allowed in Frontend servers. Things like listening to sockets should not be available for normal webservers.

First you should complain to the cookie specification. It does not say that cookies are bound to the port. AFAIK.
posted on Friday, December 15. 2006
#8 Andi Gutmans ()
So are you saying that other languages (C#, Java, Python, Ruby) do not allow socket binding?
posted on Friday, December 15. 2006
#9 Richard Thomas wrote (Link) ()
What I find interesting is that a self proclaimed "security expert" would rather take shots at php then provide a non-biased article that covers all the facts.

Your article does no service the php community, matter fact its biased approach might suggest that this issue is limited to php when it is not.

What programming lang doesn't have some sort of stream/socket functions, I can do the exact same trick in perl, ruby, C, heck I think even visual basic has enough backbone to pull this "hack".

You can't agree with a few people behind php, thats fine but grow up cause this article does not but lower your worth as a security expert to anyone.
posted on Friday, December 15. 2006
#10 Stefan Esser wrote (Link) ()
Richard,

and now you smart guy explain the world how you run a Visual Basic script doing this on one of the shared hosting servers out there.

Additonally you might try to explain to me how you run a C program on a shared hosting servers.

Maybe you show me how you run a perl, ruby, python whatever script on the majority of shared hosting servers that only support PHP.

I am waiting...
posted on Friday, December 15. 2006
#11 Stefan Esser wrote (Link) ()
Ohh btw...

From my point of view it is strange that me warning the PHP community about a function they should disable in a shared hosting environment is a bad thing....

Oh wait... It is the old mentality again... Blame a PHP core function => bad guy!!! Blame some PHP app => Great Guy!!!

Guys, YOU really need to grow up. Face it. PHP comes with far too many dangerous functions, that are installed and reachable nearly everywhere. These features get introduced again again and noone is looking at the potential danger and is documenting it...

Ohh wait I just did that. Ohh sorry I forgot: Blame a PHP function and you are the bad guy...
posted on Friday, December 15. 2006
#12 Ilia Alshanetsky wrote (Link) ()
You are correct that the spec does not indicate that cookies can be bound to a port. I suppose that's an oversight of the cookie spec (RFC2109), however it does not say a port cannot be part of the domain.

The domain element is defined as word, which according to a spec can be a "token | quoted-string". This means that a browser could easily support :port as part of the domain attribute default to current port in the absence of one without violating the spec.

Going back to the immediate problem, a solution for an ISP (which most do so already) would be to drop incoming connections on unauthorized ports via firewall. This means a user who bind port 7878 and then does tricks the user into visiting somelocaldomain.com:7878 would not get the incoming request.
posted on Friday, December 15. 2006
#13 Stefan Esser wrote (Link) ()
Defending against this is quite easy:

Configure your firewall correctly. There is no need for a webserver to have any other port open than HTTP, HTTPs and maybe SSH.

Additionally webservers should not be allowed to make outbound connects. This would also stop URL include holes. But the majority of exploited servers show that not many configure the server that way.
posted on Friday, December 15. 2006
#14 Richard Thomas wrote (Link) ()
I don't use windows much so I am only assuming you could run a visual basic script on a windows hosting server, some companies do shared windows hosting.

As to the C question your kidding right? You the security expert are asking me how to run a C program on a shared hosting server?

Your whole attack is based on having access to that server, having an account on that server, which means having the access to run scripts and upload files!

You do realize you can run C programs in a cgi directory right?

Maybe you should read http://www.cs.tut.fi/~jkorpela/forms/cgic.html
posted on Friday, December 15. 2006
#15 Ilia Alshanetsky wrote (Link) ()
I for one agree that the potential abuse of this function should be documented in the manual. But, at the same time I think it is wrong to cripple a programming language on the concept that someone may abuse its features for their own nefarious purposes.

When it comes down to it, when you have access to a programming language on a computer and you wish to do harm it is very hard to stop a person.

Consider this little snippet:

ignore_user_abort(true);
$a = str_repeat("a", 1024*1024*6); sleep(100000);

and hit this script 50-100 times. I suppose if ignore_user_abort() disabled, you can always keep the connection open sending 1 byte every few seconds.
posted on Friday, December 15. 2006
#16 Stefan Esser wrote (Link) ()
Richard,

you have obviously NO idea about shared hosting. Most shared hosting companies would kill you if you try executing arbitrary code on their server. YES you have an account, most probably a FTP account that allows you uploading PHP files, nothing more, nothing less.

Like I stated above in the original blog entry: If you have shell access == ssh account you can do this all without PHP.

But I think discussion with you is pointless anyway. You are on your childish trip to discredit me. Try harder next time...
posted on Friday, December 15. 2006
#17 Andi Gutmans ()
Stefan,

My problem is not with the information you wrote in the article, but with the information you didn't write. You make it sound as if this is only about PHP. A less biased security expert would point this out as a general issue and give examples of multiple languages that would have such problems (i.e. document a generic risk with numerous examples).
I value such information being out there, but it should not be biased for personal reasons.

I also suggest to mention the disable_functions INI directive which allows shared hosting providers to turn off some of these functions. Or maybe even better, commit a php.ini-shared-hosting-recommended to the PHP source tree to make shared hosting provider's lives even easier. That would be very helpful..
Andi
posted on Friday, December 15. 2006
#18 Ilia Alshanetsky wrote (Link) ()
A good firewall via ipfw (FreeBSD) or iptables (Linux) is essential for a any scripting enabled web hosts. The best example of this is a one line DDOS that is quite nasty as it'll often survive a simple service restart.

In PHP terms it is done by doing: file_get_contents("current_url");

If allow_url_fopen is enabled (if not you need to use fsockopen() or alike) this will create a request loop, which within a few seconds will cripple even the most powerful of servers. "Best part" is that if you just do apache restart, one request usually survives in the tcp/ip buffer and ends up hitting the newly restarted server, resuming the attack. Although perhaps you can think of something for this for Suhosin ;-)

The simplest way to prevent this would be via a firewall rule that prevents local connections to the http port.
posted on Friday, December 15. 2006
#19 Stefan Esser wrote (Link) ()
Andi,

shared hosting companies, the obvious target audience of this blog entry know that they can disable functions via disable_functions. What they don't know are the names of all the dangerous function...

This blog entry told them about one more to ban. And gave a reason why to ban.

I suggest that you reread the blog entry. It starts with saying that this can be done with shell access too, but then goes into detail how this is possible with PHP.

You turn this into a rant against PHP. People reading this comments will get exactly the right impression: Point your finger at a PHP function and you are the bad guy.

I guess Microsoft would not be pissed at all if one would demonstrate howto do this in C#. And I guess the GCC guys would not be pissed when you demonstrate it in C. Of course in the PHP world this is different. If you create PHP example code for a problem you are a bad guy, a biased security expert.

It is really amusing how you spread your propaganda that I am in a holy war against PHP and PHP developers for personal reaons.
posted on Friday, December 15. 2006
#20 Andi Gutmans ()
On the contrary, I am saying that you should give the all-in-one disable_functions line that shared hosting providers should put into their php.ini. This would be much more helpful than one function at a time. We can then add this recommendation to the PHP manual and possibly have a php.ini-recommended-shared-hosting. I would absolutely help make such a recommendation visible to that audience.
posted on Friday, December 15. 2006
#21 Cristian Rodriguez ()
On this article I only read that the function stream_socket_server() can be abused in some ways and shared hosts may want to disable it.

Of course I know this can be done with other languages, and TFA does not say it is exclusive of PHP. why people is reading between the lines ? ? ;-)
posted on Friday, December 15. 2006
#22 Tom Claessens wrote (Link) ()
Thanks for sharing.
I'll keep an eye on your blog for more of these functions, so I can compile a list of functions to disable for our hosting company (or perhaps they're already doing it, I don't know).

I do write PHP for a living, so it's nice to see someone "puncturing" the bubble because I never really spend that much time on the security side / testing of PHP. I write my code the best way I know it, I can and if it works, (and I do test some bogus user input) I call it a day without looking back at the actual functions I use.

Andi Gutmans (#9) has also a good point for the modified php.ini
posted on Friday, December 15. 2006
#23 Sencer wrote (Link) ()
Come on, Stefan, you should have given details about all the languages where this is possible. After all you it's not like you have ever focused on php security, or that THIS site is in any way PHP-specific. And please, change the domain name away from "php -security.org", because it gives people the idea hat you are writing about security in a PHP context, which you shouldn't if you find even the tiniest chance that a problem might affect LISP, FORTRAN or my uncle bob's scripting language when it is running on a webserver.[/sarcasm]

I can't believe some people are claiming that all (affected) languages should be blamed equally if a problem is found that affects PHP. Why? Instead of appreciating that Stefan is researching and uncovering security-related issues that affect PHP, people are attacking him for not going after other languages? Are you serious? You want him to spend less time on PHP and more time on other lanugages? How would PHP gain from that?

One thing should by crystal clear, regardless: From the Point of popularity and average user-skills, PHP is already the "Windows of the dynamic web-programming languages". It didn't help Microsoft's image or security record when they (sometimes rightly) blamed problems on the user, or tried to point their finger at other Operating System's that suffer(ed) the same problems at one point or another. When you're at the top of the food chain, you will always get the most of the flak, that's just the way it is. There is [b]zero[/b] point in attacking the people writing about it.
posted on Friday, December 15. 2006
#24 Daniel Papasian wrote (Link) ()
Andi,

Why should he? Unless Stefan claims to have evaluated every function available in PHP core, it would be irresponsible for him to make a recommended disable_functions directive as he could not possibly know whether functions he hasn't evaluated should be disabled or not.

If you're truly going to be security minded, then all functions should be in disabled_functions until it can be shown that allowing them on a shared host doesn't allow people to attack or break out of their own security context. And that wouldn't be useful.

I appreciate Stefan's work on this issue.
posted on Friday, December 15. 2006
#25 WarrenFaith wrote (Link) ()
Sencer wrote:
---
I can't believe some people are claiming that all (affected) languages should be blamed equally if a problem is found that affects PHP. Why? Instead of appreciating that Stefan is researching and uncovering security-related issues that affect PHP, people are attacking him for not going after other languages? Are you serious? You want him to spend less time on PHP and more time on other lanugages? How would PHP gain from that?
---
Full acknowledge!
posted on Friday, December 15. 2006
#26 dreamscape wrote (Link) ()
I fail to see the significance of this issue. Unless the domain you are exploiting is holding really sensitive information in the cookie, the impact is going to minimal.

AND, other threats which exploit open ports and have much more severe consequences will effectively block socket abuse (this is not really an exploit at all, but pure abuse: socket abuse). Because you will find most decent hosts to be running a firewall, possibly some type of socket monitor for unauthorized sockets (such as LSM [Linux Socket Monitor]), and an aggressive policy about not using their server for malicious purposes.

So really, you should only worry about something like this if 1) you host with a hacker friendly host, or 2) your host is a complete moron... and if you have a host like either of those, then you have much much bigger things to worry about than someone else on the server abusing stream_socket_server() ;-)
posted on Friday, December 15. 2006
#27 Johann Hartmann ()
Actually stefan made a rather interesting finding about the implementation of the same-origin-policy inside most browsers.
From the server side point of view, ports do matter a lot, since they can happen to be completely separated services.
From the client side ports - currently - don not matter, and the same origin check is only hostname based.
IMHO the mistake happens on the browser side, and one could expect other attack vectors to come where same origin matters.
posted on Friday, December 15. 2006
#28 nick wrote (Link) ()
What I find interesting is that a self proclaimed "security expert" would rather take shots at php then provide a non-biased article that covers all the facts.
My problem is not with the information you wrote in the article, but with the information you didn't write. You make it sound as if this is only about PHP.

Huh? This is "php-security dot org." Why are you complaining about "shots at PHP" or "this is only about PHP".

This blog is about PHP, yes? PHP security?

Advice for PHP shared web hosting providers re: security in PHP shared web hosting... definitely not the right content for a PHP security blog. :-)
posted on Friday, December 15. 2006
#29 Stefan Esser wrote (Link) ()
Sorry but you are living in a dream world. Why do you believe so many servers fall victim to URL include vulnerabilities?

If servers had correctly configure firewalls then this would not happen at all.

You fail to see the relevance? Uhmm, you are aware that cookies often contain userpasswords in plaintext or in hashed form? They also often contain the session id, which allows taking over other peoples sessions.
posted on Friday, December 15. 2006
#30 Richard Thomas wrote (Link) ()
"Most shared hosting companies would kill you if you try executing arbitrary code on their server"

Every php script out there is "arbitrary" code, I have worked at 4 companies that provide hosting, most hosting companies disallow "background" processes that run outside of apache, cgi, be it perl, php, or even C is rarely looked into unless a resource problem comes up.

Hosting companies do not have time to verify every single script run by a customer.

Take a look at

http://cgi.resourceindex.com/Programs_and_Scripts/C_and_C++/

These are all C and C++ based programs made to be uploaded and run as CGI, your telling me no hosting company will allow any of these to run?
posted on Friday, December 15. 2006
#31 Stefan Esser wrote (Link) ()
Sorry but you are wrong.

A PHP script is not arbitrary code. It is possible by blacklisting functions to forbid PHP to perform dangerous actions. This is not possible in other programming languages. (At least to the same degree) For the simple reason that PHP is considered a language safe to use in a hosting enviornment, because you can not harm the server. (In theory)

In reality however the protections of PHP like safe_mode are worth nothing although people believe they are. PHP is a web scripting language. Users assume when you install it on your server and give people the right to create webpages that they cannot do any harm with that. Especially when you disable exec functions hosters believe that they are pretty safe if they are running the script as the unix user owning the script and have their filesystem permissions configured right.

However this believe is wrong, because PHP has dangerous functions like binding to a socket, which is a feature NEVER wanted on a webserver. People are not aware of this, because it is nowhere documented that between two revisions of PHP a bunch of NEW dangerous features are introduced that an admin has to deactivate before upgrading. This means upgrading PHP is dangerous for hosting companies.

And sorry you can argument about C and C++ CGI scripts the whole day. Your arguments are irrelevant. The majority of companies does not allow anything other than PHP scripts, because it is assumed that PHP scripts stay within the webserver and do not fork background processes.

And by the way you can try to argument the whole day long that you are right. You are plainly wrong. This started with your first accusation that this blog entry was a rant against PHP. In reality it demonstrated a cross port cookie problem and used a PHP script as example. It also contained the valuable information that a hosting company should deactivate this feature in PHP because it is potentially dangerous.

But you ignore all this, because you are trying to attack and discredit me.
posted on Saturday, December 16. 2006
#32 dreamscape wrote (Link) ()
>> Why do you believe so many servers fall victim to URL include vulnerabilities?
>> If servers had correctly configure firewalls then this would not happen at all.

Are you saying that applications shouldn't be able to communicate with applications on other servers at all? Sorry Stefan, but this is the year 2006, not 1996. Communication with other servers is critical for most business applications. And it is even becoming an integral part of non-business applications with all of the non-business oriented web services that are popping up.

>> Uhmm, you are aware that cookies often contain userpasswords in plaintext or in hashed form?

Way to not read Stefan. I said, "Unless the domain you are exploiting is holding really sensitive information in the cookie, the impact is going to minimal." Please go back to school and re-learn how to read, since apparently you didn't quite get it in the 12 years you were there.

Not to mention that any application that stores your password in a cookie is more than likely not going to have any critical data about you. Such applications most commonly are forums.

Oh no, someone got into my forum account, what will I do? I'm ruined for life now. *since you have trouble reading, I'll just tell you that was sarcasm, since you probably wouldn't get it if I didn't tell you*

And let's not forget that an application that stores a password in a cookie, if exploited, is an exploit of a hole in the application, and not a problem of stream_socket_server(). A person could also intercept the cookie in another way besides stream_socket_server() or even just get it off your computer (if they had access).

Cookies are not in any way, shape, or form secure, and any reasonable developer is going to know this, and know not to store sensitive information in them for critical applications, or at least weigh the cost to benefit for non critical applications such as forums.

>> They also often contain the session id, which allows taking over other peoples sessions.

That is only possible if the application is using sessions in an insecure way. We all know that the PHP session engine is very lax in its policies, but it is easy enough to, and there certainly are enough articles on securing your sessions so that session hi-jacking is not easy to do.

And if someone really did want to take over your session, and the application has an insecure implementation, there are far easier ways to do it than intercepting the cookie. Namely session fixation.

But again, here the root of the problem is not with stream_socket_server(). It is with the application's session implementation, and arguably it is with PHP's session engine.

Don't blame the insecurity of cookies and sessions on sockets.
posted on Saturday, December 16. 2006
#33 Stefan Esser wrote (Link) ()
dreamscape,

you are wrong.

If I can catch all your HTTP headers, then there is absolutely NO way for an application to protect against session hijacking, unless you want to use an by IP protection, which simply does not work in real world for public sites, because of big ISPs and proxy farms that usually change the IP.

Additionally you claim that communication between servers is a must. One post before you were arguing that with a firewall in place it is not possible to communicate between servers. You must decide, do you allow communication or not? (And don't bother telling me that you can configure a firewall to allow outbound but not inbound connections)
And I guess people don't care if YOU know about how to configure a firewall. Additionally you forget that PHP scripts also allow connecting to arbitrary ports on the server they are running on. I wonder if you consider it a good feature of PHP if one of your shared hosting customers is able to create a PHP script that acts like a TCP proxy and allows external people to connect into your internal network, while you only allow port 80 communication to the outside. There have been several MySQL exploits in the past and I seriously doubt you would like that some Shared Customer creates TCP forwarder that allows him connecting to your MySQL (or whatever) server and launch exploits against it.
Please continue to tell me that PHP's ability to connect and accept incoming connections is NOT a problem.

Unfortunately you obviously have not audited many software projects. The claim that only forum software stores passwords in cookies is plain wrong. First of all all the blogs do it. Getting into a blog is maybe not a problem from your point of view but other people might think different. Additonally shop software written by 3rd parties often have "remember me" functionality. That is a fact.

And your "someone got into my forum account" argument shows that you have problems understanding security. If I can get into the account of the admin I can takeover the forum or in most cases change templates which allows me in many cases to execute PHP code. This PHP code might leak information previously not accessible to me. Like the database passwords of the virtual host. With this information I can not only takeover the support forum of a company but also the shop database that belongs to the same virtual host.

Ohh yes I know... Not a PHP problem...

If PHP had no stream_socket_server() function or it was marked as dangerous so that people would actually know that it MUST be disabled nothing like this would be possible...
posted on Saturday, December 16. 2006
#34 manuel ()
Stefan, I am really curious what you expect from PHP? Most of your points regarding "problems" in PHP are not meant to be problems - they are functions.. so developers can use todays technologies betters or create better applications. the idea behind them were not to create more problems.. If you remove most of the functions you will limit the language in performing tasks. That you can connect to a local socket is a problem for you.. for others this is a feature to be able to interact with other services on the server. It seems to me that your problem is really with the idea behind the language and not "some functions"

And to your point about creating a socket on a different IP and sniff passwords or sensitive informations.. so you create your "sniffer" on port 88. So what? You want to run a marketing campaign to attract visitors to your new port..? nobody will connect there without a way bigger problem before
posted on Wednesday, December 20. 2006
#35 Stefan Esser wrote (Link) ()
Manuel,

first of all I cannot open port 88 because it is a privileged port and the OS will forbid this unlike you run PHP as root.

Secondly you obviously fail to understand the whole idea. I do not need to create a marketing campaign to attract visitors to that port. I can get their browsers into connecting to my port by for example tricking them into visiting my website which contains a simple IMG tag that has the other port in it's src.

Tricking users or especially admins into visiting your own site is often as simple as putting the URL into a blog comment, or paste it into their support forum.

From some point of view every security bug is a feature. And yes on your own server with only your own scripts you can happily use every PHP function you want but in a shared environment all socket functionality is EVIL.
posted on Wednesday, December 20. 2006
#36 manuel ()
You are right, port 88 was a bad example since it won't work in most environments.. make it 8888 :-) Your attack scenario is possible, but without the effort on generating your own traffic it won't have a big impact in my opinion. Not to mention that several people mentioned here that every 'shared environment' should have additional layers of protection like firewalls, logging, port/socket monitoring etc. A web presence is not just the script.. its everything.

The point I was trying to make wasn't that "security bugs" are features.. but that most of the functions you criticize are designed to offer new possibilities for developers. Yes you can abuse listening sockets or the ability to open sockets but at the same time this could offer your application to communication with other applications, create 'servers' etc. That there are better languages out there for these tasks is no question but again.. you mention that these "security issues" work in most places since most hosts accept PHP and not the other languages. If you develop an application and it won't work on most of your clients systems - then there is no real reason to develop it in the first place. If you disable functions designed to offer new features - you are against the idea of PHP in my opinion.. since you will not only prevent "security issues" but also limit developers and break applications. Think about why PHP is that popular....

The more you can do with a language - the more you can also easily abuse in your point of view - but others may see that as new possibilities or increased productivity. If you _don't need_ certain connections, functions, languages as a host... disable or restrict them - but saying that a certain function is "bad" in general with such an example is wrong in my opinion.

There are far more critical issues in php then that..
posted on Thursday, December 21. 2006
#37 bill ()
thank you for the article Stefan. valuable information to consider.
posted on Thursday, December 21. 2006
#38 Jonathan Rockway wrote (Link) ()
> For the simple reason that PHP is considered a language safe to use
> in a hosting enviornment, because you can not harm the server.

Not entirely true -- Perl has Safe.pm which prevents dangerous things quite effectively (try crashing one of the many IRC bots on irc.perl.org that eval Perl; very difficult). Coupled with per-process resource limits, I think perl does a much better job of being safe.
posted on Thursday, December 21. 2006
#39 Bill ()
Thanks for the information shared.

Even the hostle comments shed some insight about PHP and web security. Although they soon turned personal.
posted on Saturday, December 23. 2006
#40 Alan ()
So as a person with shared web hosting, how can i get this functionality disabled?
posted on Wednesday, January 3. 2007

Add Comment

Standard emoticons like :-) and ;-) are converted to images.
 

Submitted comments will be subject to moderation before being displayed.
 
Calendar
Back September '09
Mon Tue Wed Thu Fri Sat Sun
  1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30        
Archives
September 2009
August 2009
July 2009
Recent...
Older...
Categories

All categories
Syndicate This Blog
Protected By

Hardening-Patch for PHP