30 Jan
2013
30 Jan
'13
6:15 p.m.
On Wed, Jan 30, 2013 at 05:52:38PM +0000, Andy Smith wrote:
Hi Michael,
On Wed, Jan 30, 2013 at 05:42:57PM +0000, Michael Stevens wrote:
Eh. As much as I like to hate on php, any poorly written web application
is just as vulnerable. mod_php's default model just tends to be
inherently insecure, and silly application devs often solve permissions
issues with 777 "because it's just easier" (or maybe they're just
ignorant of how to *properly* secure a directory which needs to be
writable by the application)
That being said, "don't run PHP" :)
So I've decideed to join the cool kids and
try PHP - in particular, I've
installed roundcube.
Well, PHP was cool 5 years ago, now it's all ruby, node.js and
clojure. :)
Is there any good info out there on securing php?
I'd quite like to not
get hacked, which seems to be a common problem with PHP web apps.
If "don't run PHP" doesn't work for you then my best advice is: - Keep it up to date
And the moment you stop using it, get rid of it. If you're not using it
daily, remove it. So many times at dreamhost customers were compromised
because of an application they'd installed and forgotten about which was
vulnerable. Keep an inventory of your applications, keep them up to
date. Purge early and purge often.
- Expect to be compromised, so try to secure your PHP
execution
environment from the rest of your server.
e.g. do assume that at some point an attacker will get to execute
commands as the user that is running your PHP app so try to reduce
what the app can do.
I can't agree with this statement any harder than I am right now. This
statement is basically web application security from an ops perspective
in a nutshell.
-Jeremy