Paul Chvostek <[EMAIL PROTECTED]> wrote: > > I've got this new server running with folks from all over uploading PHP > code. I don't know all the folks, so I've turned on safe_mode, set an > open_basedir to each user's documentroot, and left register_globals at > its default. > > And now I'm getting scads of requests to turn on register_globals from > folks who want to run php-nuke and some other established packages that > rely on it.
You could trick em and set error_reporting = E_ALL & ~E_WARNING, and just say they need to get the software fixed :) > > I realize that register_globals isn't itself unsafe ... but do the > potential insecurities put my server at risk, or only customer data? no server risks as far as I know, just security flaws in the applications. > > By turning register_globals on with an otherwise safe open_basedir, > are there things that could be revealed about the server that would > otherwise be hidden? > > My instinct says to leave register_globals OFF, and if folks want to run > software that requires it, they should lobby the software maintainers to > upgrade the software. (But how likely is php-nuke to get fixed?) I would tend to agree with you. Some influence on it depends on wether php is going to remove the ability to turn register_globals on and off through the config. As a developer myself, I'd rather see safer programming techniques used. > Thoughts? > > -- > Paul Chvostek <[EMAIL PROTECTED]> > Operations / Abuse / Whatever > it.canada, hosting and development http://www.it.ca/ Not much but I hope it gave ya my view point on it anyway Curt -- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
