Re: [PHP-INST] Blatant PHP security issues!!!!

Wed, 21 Feb 2001 06:58:58 -0800 

I personally don't see this as a major problem, ASP and Cold Fusion do
things the same way.  If you work the security end of things correctly,
people shouldn't be able to see your config file that you can include from
somewhere else . . . that people can't see or have a mimetype returned
properly.   It's all about how you think about things running.

-- Bradley Miller

At 09:43 AM 2/21/01 -0500, you wrote:
>I recently just started using PHP. While it is easy to use, their are some
>very frightening security issues that I can't believe more people aren't
>complaining about.  Security issues that should scare any sane programmer
>from using PHP. For instance, PHP scripts have to be world readable.  Which
>means that anyone who hard coded in a username and password to their mysql
>database are putting their database at risk.
>
>Any other user with an account on the system can has the ability to read
>another person's PHP source.  They could then gain access to their MySQL
>account.  Even dumb hackers can do this exploit. One other thing I've
>noticed is that in order for PHP to write to a text file, that text file has
>to be world writeable and world readable.  That's crazy.
>
>I do not want my PHP pages to be world readable.  I would like SuEXEC to
>work with PHP like it does for PERL.
>
>I have looked around the web and have yet to find a good tutorial on how to
>enable SuEXEC to work with PHP.  I think it would benefit the PHP community
>if someone could come up with a clear, concise, easy to read tutorial
>explaining how to do this.  The link to this tutorial, when it is written,
>should be plastered on every PHP site on the web.... or does such a tutorial
>exist already?
>
>Please let me know if a tutorial like the one I described above exists.
>
>=========================
>Matthew Toledo
>Athens Musician Network
>[EMAIL PROTECTED]
>http://music.athens.oh.us
>
>
>
>
>
>-- 
>PHP Install Mailing List (http://www.php.net/)
>To unsubscribe, e-mail: [EMAIL PROTECTED]
>For additional commands, e-mail: [EMAIL PROTECTED]
>To contact the list administrators, e-mail: [EMAIL PROTECTED]
>

-- 
PHP Install Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to