Hi, This topic was already discussed in bugtraq and there should also be an entry in the PHP bug database about this:
http://www.securityfocus.com/archive/1/250196 http://www.securityfocus.com/archive/1/250593 > i fully support rasmus, saying that we should mention the default > configuration as unsafe in the documentation. I absolutely agree with you. I would even suggest to set "engine = Off" by default which forces admins to at least have a quick look at php.ini. But unfortunately a dedicated server does not cost much more than virtual hosting anymore (just have a look at http://powerraq.com/ ). PHP is mostly pre-installed (with "dev settings" and not "production settings" - many admins even forget to switch on safe_mode) and this lazyness leads to thousands of insecure PHP installations on production machines. Yes, there are many idiots who call themselves admins (cobalt's servers have a graphical user interface, so you never get in touch with the underlying software), but in the end these people could spoil PHP's reputation and *that's* what I'm worrying about. > Unlike Mr. Lorch [..] "Daniel" is ok :) I really don't know why people call me "Mr". Maybe add my family name, otherwise I might get taken for "Daniel Beulshausen" (php4win.de). > [..] or similiar people i do not think its our resposibility to > configure the server for the admin. And i am a little bit tired about > this whole session takeover discussion. Because in the end its our > responsibility to design a secure new unsniffable protocol and develop > clients and servers for it. Because THIS would be the only way to stop > session takeovers. As long session IDs are transferred over http/https > they are unsecure *POINT* HTTPS is just a component of the whole end product - PHP is another component and from a modular point of view, each component has to take any possible precautions to ensure maximum security. Kind Regards, Daniel Lorch -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
