Re: Question about PHP safe mode
Hey Guys, thanks for the response Am 23.06.2015 um 11:56 schrieb Heiko Zimmermann: Markus, are you kidding? http://www.cvedetails.com/vulnerability-list/vendor_id-74/product_id-128/version_id-50739/PHP-PHP-5.2.5.html Im aware that php isn't a thing you want to use in a 5.2.4 but we don't have customers who are using php scripts anyway for now. Just one customer asked if we could switch off the safe_mode. And OpenBSD 4.2 is released Nov 1, 2007. You dont think it is important to upgrade? Sure it is, if you grand me 35h/day I will upgrade it right now ... Best Regards, Heiko Am 23.06.2015 um 11:44 schrieb Markus Rosjat: Hi there, just a short question... I have quiet old 4.2 OpenBSD with a 5.2.4 PHP version. The safe_mode is on, a Costumer wants to have it off. Is there any security risk to it or do I need to check something on the system level to disable it but still have my environement secured ? regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: Question about PHP safe mode
On 2015-06-24, Markus Rosjat ros...@ghweb.de wrote: And OpenBSD 4.2 is released Nov 1, 2007. You dont think it is important to upgrade? Sure it is, if you grand me 35h/day I will upgrade it right now ... If you don't have time to upgrade, you surely don't have time to investigate a security breach.
Re: Question about PHP safe mode
On 2015-06-23, Markus Rosjat ros...@ghweb.de wrote: Hi there, just a short question... I have quiet old 4.2 OpenBSD with a 5.2.4 PHP version. The safe_mode is on, a Costumer wants to have it off. Is there any security risk to it or do I need to check something on the system level to disable it but still have my environement secured ? safe_mode was removed in PHP 5.4. Take a look at http://php.net/supported-versions.php - so, safe_mode is not available in any version of PHP which is still receiving security updates. PHP 5.2.4 definitely has a security risk to it, if you're running PHP, *especially* with customer-provided or otherwise untrusted scripts, you really ought to be tracking recent versions closely. Suggestion: setup a new machine/VM with OpenBSD 5.7, install the newest PHP version, run openup (https://stable.mtier.org/) regularly to get updated versions, and get your customer to move across to it (this should be an easy decision for them to make as they want safe_mode off anyway). And arrange a process to keep things up-to-date...
Question about PHP safe mode
Hi there, just a short question... I have quiet old 4.2 OpenBSD with a 5.2.4 PHP version. The safe_mode is on, a Costumer wants to have it off. Is there any security risk to it or do I need to check something on the system level to disable it but still have my environement secured ? regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: Question about PHP safe mode
Markus, are you kidding? http://www.cvedetails.com/vulnerability-list/vendor_id-74/product_id-128/version_id-50739/PHP-PHP-5.2.5.html And OpenBSD 4.2 is released Nov 1, 2007. You dont think it is important to upgrade? Best Regards, Heiko Am 23.06.2015 um 11:44 schrieb Markus Rosjat: Hi there, just a short question... I have quiet old 4.2 OpenBSD with a 5.2.4 PHP version. The safe_mode is on, a Costumer wants to have it off. Is there any security risk to it or do I need to check something on the system level to disable it but still have my environement secured ? regards
