Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
You know you can make a server parse HTML pages as PHP (execute PHP code in a HTML doc) using .htaccess?
Well, some people say it’s bad to do so. Why?
Some people also say it opens a security vulnerability in your application. How?
The source code is still removed before the document reaches the browser, so it can’t be the case of unauthorized access to source code, right?
Let me start with a little story: back when I was a security contact at a Linux distribution vendor, the PHP security team begged Linux vendors to stop calling interpreter crashes security bugs, even when the PHP interpreter was running inside the web server (say,
mod_phpon Apache). (At the time, roughly one interpreter crash was being found per week.)It took a little bit of conversation for them to actually convince us that whoever supplied the running PHP code is completely trusted and any attempt to control what the scripts could do from the interpreter was misguided — and if someone figured out how to crash the interpreter to walk around the restrictions it tried to impose (such as the entire silly safe mode pile of crap), it was not a security flaw, because the safe execution of scripts was not the goal of the PHP interpreter — it never was and never would be.
I’m actually pretty happy with the end result of the discussions — it clearly defined PHP’s security goals: You should only ever allow execution of PHP code that you 100% completely trust. If you do not trust it, you do not run it. It’s that simple.
Whatever operating system resources are available to the interpreter are all available and fair game, regardless of whether the script exploits a bug in the interpreter or just does something unexpected.
So, please do not allow random code to be executed in the context of your webserver unless that is what you really want.
Please use the principle of least privilege to guide what resources are available to every program.
Consider using a mandatory access control tool such as AppArmor, SELinux, TOMOYO, or SMACK to further confine what your programs can and can’t do. I’ve worked on the AppArmor project since 2001 or so and am fairly confident that with a day’s effort most system administrators can enhance their sites security in a meaningful way with AppArmor. Please evaluate several options, as the different tools are designed around different security models — one or another may be a better fit.
But whatever you do, please don’t run your server in a fashion that needlessly opens it up to attack via extra vectors.