Hello Andrew. > I think it would take two things to properly mitigate this vulnerability: > 1) Patching PHP to add in new ini settings in parallel to those in > suexec, and advising that a script which forces those ini options to be > set before calling the binary, rather than the PHP binary itself, should > be installed.
It's been agreed that we won't implement any more security hacks in PHP itself since such things should be done by the OS, so no more magic INI settings. The only "magic" thing that is left at the moment is open_basedir and even this might be bypassed by some external library directly using open(), even though we do try our best to prevent that. > 2) Fixing the documentation to ensure that sysadmins are well informed > about the risk and how to avoid it. I'm sure the documentation team (CCed) would be happy to improve the manual. Do you have any certain ideas on what and how to improve? -- Wbr, Antony Dovgal
