I've got this new server running with folks from all over uploading PHP code. I don't know all the folks, so I've turned on safe_mode, set an open_basedir to each user's documentroot, and left register_globals at its default.
And now I'm getting scads of requests to turn on register_globals from folks who want to run php-nuke and some other established packages that rely on it. I realize that register_globals isn't itself unsafe ... but do the potential insecurities put my server at risk, or only customer data? By turning register_globals on with an otherwise safe open_basedir, are there things that could be revealed about the server that would otherwise be hidden? My instinct says to leave register_globals OFF, and if folks want to run software that requires it, they should lobby the software maintainers to upgrade the software. (But how likely is php-nuke to get fixed?) Thoughts? -- Paul Chvostek <[EMAIL PROTECTED]> Operations / Abuse / Whatever it.canada, hosting and development http://www.it.ca/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
