[SPTUsers] Security

Edward Almasy ealmasy at scout.wisc.edu
Fri Feb 28 09:52:35 CST 2003 

On Thu, Feb 27, at 03:36:36PM, Alejandro Fernandez wrote:
> Another question is: I've noticed through looking at the code that it
> seems to cater for register globals being off, and indeed, I installed
> the latest versions of php and apache 1.3.x and things seem to work
> quite fine. But has anyone ever had any security problems?

   We had one security hole found last fall, but that was fixed in 0.9.7.
   Other than that I'm not aware of any problems.  As of version 1.1.0 SPT
   should run fine in PHP safe_mode, which adds another complete layer of
   security precautions on top of what's already in the code.

   (I do need to mention one problem with safe_mode:  it may restrict your
   use of uploaded GIF images in SPT.  Unfortunately because of the GIF patent
   issues the only way we can support GIF under newer versions of PHP is to
   call external executables, and those calls are blocked by safe_mode.)


> What can be done to ensure that SPT is secure with the data it keeps and
> does not allow people to steal, alter data or even gain unauthorised
> entrance to the server? I'm considering running Nessus on it, as this
> would catch simple forms problems with scripts etc...
> Or even, what can I say to reassure these perlmongering phpphobes?

   You can point them toward PHP's aforementioned safe_mode, which is
   described in some detail here:
           http://www.php.net/manual/en/features.safe-mode.php

   While no useful language can always be absolutely secure, having written
   many thousands of lines of both Perl and PHP I think I can say with some
   confidence that PHP is generally more secure than Perl, if for no other
   reasons than that much more of the functionality in PHP is integrated
   as part of the language core and PHP applications tend to run farther from
   the OS than Perl.  (Not trying to start a language war here -- I think
   they're both excellent programming languages, in their domains.)


   We will be reviewing security again before the next release.  In the mean
   time if you encounter anything that you think might be a possible security
   issue, please let us know ASAP.

   Ed



-- 
   Edward Almasy                                     ealmasy at scout.wisc.edu
   Research Director                                   1308 W Dayton Street
   Internet Scout Project                                  Madison WI 53706
   Computer Sciences Department                        608-262-6606 (voice)
   University of Wisconsin - Madison                     608-265-9296 (fax)

More information about the SPTUsers mailing list