Skip to content

Commit c731c7a

Browse files
cmb69cmb69
committed
Update security-notes
NeverEverSanity wasn't so recent, and safemode is long gone.
1 parent 0a39d89 commit c731c7a

File tree

1 file changed

+6
-6
lines changed

1 file changed

+6
-6
lines changed

security-note.php

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@
1414
not be safe to pass to another.
1515
</p>
1616
<p>
17-
A recent Web Worm known as NeverEverSanity exposed a mistake in the input
17+
Long ago, a Web Worm known as NeverEverSanity exposed a mistake in the input
1818
validation in the popular phpBB message board application. Their
1919
highlighting code didn't account for double-urlencoded input correctly.
2020
Without proper input validation of untrusted user data combined with any
@@ -37,20 +37,20 @@ functions you may be passing this data to. A variation of the remote
3737
some javascript that the next user then views.
3838
</p>
3939
<p>
40-
For Local exploits we mostly hear about open_basedir or safemode problems
41-
on shared virtual hosts. These two features are there as a convenience to
40+
For Local exploits we mostly hear about open_basedir problems
41+
on shared virtual hosts. This feature is there as a convenience to
4242
system administrators and should in no way be thought of as a complete
4343
security framework. With all the 3rd-party libraries you can hook into
4444
PHP and all the creative ways you can trick these libraries into accessing
45-
files, it is impossible to guarantee security with these directives. The
45+
files, it is impossible to guarantee security with this directive. The
4646
Oracle and Curl extensions both have ways to go through the library and
4747
read a local file, for example. Short of modifying these 3rd-party
4848
libraries, which would be difficult for the closed-source Oracle library,
4949
there really isn't much PHP can do about this.
5050
</p>
5151
<p>
52-
When you have PHP by itself with only a small set of extensions safemode
53-
and open_basedir are generally enough to frustrate the average bad guy,
52+
When you have PHP by itself with only a small set of extensions
53+
open_basedir is generally enough to frustrate the average bad guy,
5454
but for critical security situations you should be using OS-level security
5555
by running multiple web servers each as their own user id and ideally in
5656
separate jailed/chroot'ed filesystems. Better yet, use completely

0 commit comments

Comments
 (0)