On 2015-06-23, Markus Rosjat <ros...@ghweb.de> wrote: > Hi there, > > just a short question... I have quiet old 4.2 OpenBSD with a 5.2.4 PHP > version. The safe_mode is on, a Costumer wants to have it off. Is there > any security risk to it or do I need to check something on the system > level to disable it but still have my environement secured ?
safe_mode was removed in PHP 5.4. Take a look at http://php.net/supported-versions.php - so, safe_mode is not available in any version of PHP which is still receiving security updates. PHP 5.2.4 definitely has a security risk to it, if you're running PHP, *especially* with customer-provided or otherwise untrusted scripts, you really ought to be tracking recent versions closely. Suggestion: setup a new machine/VM with OpenBSD 5.7, install the newest PHP version, run openup (https://stable.mtier.org/) regularly to get updated versions, and get your customer to move across to it (this should be an easy decision for them to make as they want safe_mode off anyway). And arrange a process to keep things up-to-date...
