Php Security
PHP can be included as a module to the web-server, or executed as a separate executable binary. In either case, it can access files, execute commands, open network connections in the server. Further, PHP can be used to write scripts with all the power of the shell users. Hence, anything running on that server may face security problems. Though, careful coding will reduce the risks to a great extent[php.net].
Common security risks in PHP[Abdul Basit, php.net]
Most common are :
- 1-Invalidated Input Errors
- 2-Access Control Flaws
- 3-Session ID Protection
- 4-Cross Site Scripting (XSS) Attacks
- 5-SQL Injection Vulnerabilities
- 6-Error Reporting
- 7-Data Handling Errors
- 8-PHP configuration settings
PHP Security when installed as a CGI Binary[php.net]
- Do not place any interpreters into the cgi-bin directory
- Even If PHP is installed as a standalone binary (and in cgi-bin directory), PHP can prevent attacks that may arise from such setting.
- Accessing system files: http://my.host/cgi-bin/php?/etc/passwd — using such URLs can be risky, the part after ? may be treated as command line arguments to the interpreter, and hence, in some cases pose risks
- Accessing any web document on server: http://my.host/cgi-bin/php/secret/doc.html — this way can also be risky
PHP compile time options such as –enable-force-cgi-redirect and runtime configuration directives doc_root and user_dir can be used to prevent such risks.
From: http://sitestree.com/?p=4742
Categories:16
Tags:
Post Data:2008-07-09 01:21:35
Shop Online: <a href='https://www.ShopForSoul.com/' target='new' rel="noopener">https://www.ShopForSoul.com/</a>
(Big Data, Cloud, Security, Machine Learning): Courses: <a href='http://Training.SitesTree.com' target='new' rel="noopener"> http://Training.SitesTree.com</a>
In Bengali: <a href='http://Bangla.SaLearningSchool.com' target='new' rel="noopener">http://Bangla.SaLearningSchool.com</a>
<a href='http://SitesTree.com' target='new' rel="noopener">http://SitesTree.com</a>
8112223 Canada Inc./JustEtc: <a href='http://JustEtc.net' target='new' rel="noopener">http://JustEtc.net (Software/Web/Mobile/Big-Data/Machine Learning) </a>
Shop Online: <a href='https://www.ShopForSoul.com'> https://www.ShopForSoul.com/</a>
Medium: <a href='https://medium.com/@SayedAhmedCanada' target='new' rel="noopener"> https://medium.com/@SayedAhmedCanada </a>
