ronabop Fri Jan 12 23:52:39 2001 EDT
Modified files:
/phpdoc/en/chapters security.xml
Log:
Update advice, warnings about show_source() and friends.
Index: phpdoc/en/chapters/security.xml
diff -u phpdoc/en/chapters/security.xml:1.14 phpdoc/en/chapters/security.xml:1.15
--- phpdoc/en/chapters/security.xml:1.14 Fri Jan 12 23:35:28 2001
+++ phpdoc/en/chapters/security.xml Fri Jan 12 23:52:39 2001
@@ -254,6 +254,22 @@
</sect1>
+ <sect1 id="security.current">
+ <title>Keeping Current</title>
+ <simpara>
+ PHP, like any other large system, is under constant scrutiny and
+ improvement. Each new version will often include both major and
+ minor changes to enhance and repair security flaws, configuration
+ mishaps, and other issues that will affect the overall security
+ and stability of your system.
+ </simpara>
+ <simpara>
+ Like other system-level scripting languages and programs, the best
+ approach is to update often, and maintain awareness of the latest
+ versions and their changes.
+ </simpara>
+ </sect1>
+
<sect1 id="security.apache">
<title>Installed as an Apache module</title>
<simpara>
@@ -422,14 +438,18 @@
developer who is trying to debug a script, indicating such things
as the function or file that failed, the PHP file it failed in,
and the line number which the failure occured in. This is all
- information that can be exploited.
+ information that can be exploited. It not uncommon for a php
+ developer to use show_source(), highlight_string(), or
+ highlight_file() as a debugging measure, but in a live site, this
+ can expose hidden variables, unchecked syntax, and other dangerous
+ information.
</simpara>
<simpara>
- For example, the very style of error indicates a system is running
- PHP. If the attacker was looking at an .html page, and wanted to
- probe for the back-end (to look for known weaknesses in the system),
- by feeding it the wrong data they may be able to determine that a
- system was built with PHP.
+ For example, the very style of a generic error indicates a system
+ is running PHP. If the attacker was looking at an .html page, and
+ wanted to probe for the back-end (to look for known weaknesses in
+ the system), by feeding it the wrong data they may be able to
+ determine that a system was built with PHP.
</simpara>
<simpara>
A function error can indicate whether a system may be running a
@@ -444,7 +464,9 @@
<simpara>
A filesystem or general PHP error can indicate what permissions
the webserver has, as well as the structure and organization of
- files on the web server.
+ files on the web server. Developer written error code can aggravate
+ this problem, leading to easy exploitation of formerly "hidden"
+ information.
</simpara>
<simpara>
There are three major solutions to this issue. The first is to
