[ale] is there hope for securing php?

Jim Kinney jim.kinney at gmail.com
Wed Jun 6 08:47:48 EDT 2012


Good points. Since php 5, the underlying security mess has greatly
improved. As with all tools, the application really matters.

I am particularly pleased with the existence of the selinux wrapper as this
will provide a (potentially) solid wall between the privilege escalation
attempt and actual access.

It will be a near vertical learning curve to squeeze many common php apps
into a selinux armor suit.

On Wed, Jun 6, 2012 at 5:12 AM, Leam Hall <leamhall at gmail.com> wrote:

> On 06/05/2012 11:48 PM, Jim Kinney wrote:
> > http://koji.fedoraproject.org/koji/packageinfo?packageID=7917
> >
> > There is a selinux package for php that can be used to wrap it with
> > kernel armor that, in an selinux way, can be used to block privilege
> > escalations and unauthorized file writes.
> >
> > It still requires an selinux guru to totally hack the rules into a
> > custom form for a web app but the wrapper does exist.
> >
> > This would make drupal and wordpress not quite so scary to run.
> >
>
> The difference between PHP and most other web facing languages is usage,
> not vulnerabilities. Because PHP is used to interact with users, and
> abusers, there will always be issues with how the code is written.
>
> While PHP has room for improvement, I have not seen that the language
> itself is any worse than the other scripting languages out there.
>
> The key issue is that PHP scripts run as the webserver and you have to
> code heavily against privilege escalation outside of what your webpage
> should do.
>
> Leam
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>



-- 
-- 
James P. Kinney III

As long as the general population is passive, apathetic, diverted to
consumerism or hatred of the vulnerable, then the powerful can do as they
please, and those who survive will be left to contemplate the outcome.
- *2011 Noam Chomsky

http://heretothereideas.blogspot.com/
*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20120606/b39a89f7/attachment.html 


More information about the Ale mailing list