On 26 Mar 2012, at 17:41, Alex Pojarsky wrote:

> Now, as the issue adressed and script removed, can you please explain
> what exactly are the issues of using such approach? I mean security
> ones, not performance.

It's the wrong solution to a process and organisation problem. Ultimately it's 
not really a problem IF you control every part of the infrastructure. Rene 
clearly doesn't so it has implications for everyone sharing that 
infrastructure, and anyone using the applications hosted there.

* It requires the host to enable allow_url_fopen which means every single 
script on the server is then able to include/require URLs. It just needs one of 
them to have a related vulnerability and suddenly people can execute arbitrary 
PHP code on the server.

* Rene mentioned that the code is open source. This implies that the security 
risk is lessened because the code that is being made publicly accessible is 
already publicly accessible, so the opportunity for someone to find 
vulnerabilities already exists. It gets an order of magnitude worse if other 
people start ignorantly using his code because they're essentially giving him 
the ability to execute arbitrary PHP code on their server. Not good no matter 
how much he protests that he won't "be evil."

* You specifically wished to exclude performance from the discussion, but 
scalability is potentially a big issue here and should not be completely 

I think the real issue for Rene is that of perceived complexity. The idea of 
having to manually keep many copies of the same code in sync is what leads to 
finding solutions like this one. This solution leads to unnecessary network 
traffic and introduces potential security risks that go way beyond your own 
code, and even if it's not a big issue now it has the potential to become 

I'd put a fair amount of cash on my guess that Rene is not using any form of 
source control. To me that is the best solution to this problem. Curtis 
mentioned rsync which will also do the job, but in my view you're nuts if 
you're not using some form of source control already, and building a largely 
automated process around that is trivial and automatically audited.

Rene: please read a book / website / something on PHP security. Some things are 
important whether you believe they are or not.


Stuart Dallas
3ft9 Ltd

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to