From: cjbj at hotmail dot com Operating system: n/a PHP version: Irrelevant PHP Bug Type: Documentation problem Bug description: Suggestions for improving security note documentation
Description: ------------ The phrasing in http://www.php.net/security-note.php has caused confusion in at least one database administrator's mind about the safeness of PHP. See http://forums.oracle.com/forums/thread.jspa?threadID=340485 for one report of confusion. Can the fourth paragraph of the security note be modied to read For Local exploits we mostly hear about open_basedir or safemode problems on shared virtual hosts. These two features are there as a convenience to system administrators and should in no way be thought of as a complete security framework. With all the 3rd-party libraries you can hook into PHP and all the creative ways you can trick these libraries into accessing files, it is impossible to guarantee security with these directives. The CURL extension is a library that allows local file system access despite the value of open_basedir. Another example is that Oracle Database can be configured to allow local files to be loaded into the database. Access control is handled by Oracle and is not under control of PHP. -- Edit bug report at http://bugs.php.net/?id=35308&edit=1 -- Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=35308&r=trysnapshot4 Try a CVS snapshot (php5.0): http://bugs.php.net/fix.php?id=35308&r=trysnapshot50 Try a CVS snapshot (php5.1): http://bugs.php.net/fix.php?id=35308&r=trysnapshot51 Fixed in CVS: http://bugs.php.net/fix.php?id=35308&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=35308&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=35308&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=35308&r=needscript Try newer version: http://bugs.php.net/fix.php?id=35308&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=35308&r=support Expected behavior: http://bugs.php.net/fix.php?id=35308&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=35308&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=35308&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=35308&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=35308&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=35308&r=dst IIS Stability: http://bugs.php.net/fix.php?id=35308&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=35308&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=35308&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=35308&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=35308&r=mysqlcfg