PHP Security, Part 1
Subject:   no PHP security on shared web servers
Date:   2003-08-08 08:17:52
From:   idallen
When you do your article on security, please address a common issue that
seems to be a dirty trade secret: the lack of security for PHP-accessed
files on a shared web server.

A huge number of people have purchased web hosting accounts on shared
servers - servers where your account is only one of many. Advice against
"storing sensitive data in the web tree" is of limited benefit if you
share a server with other accounts; the advice only protects the files
from being accessed via the web server program itself. It doesn't protect
the files from access by other means, such as PHP scripts written by
other people sharing the same server.

Unlike CGI scripts, all PHP code runs as the userid of the web server,
no matter in whose account it resides. That means that if *you* write
a PHP script that can access a file on your server, *anyone else* on
the same server as you can write a PHP script to access the same file,
in the same way.

You have no protection from someone on the same server as you writing
a PHP script to read and write the same files that you read and write.

It doesn't matter where you put the files, if your PHP code can see them,
so can PHP code (or CGI code, or even shell scripts) written by other
people on the same server.

Only shared servers that implement a true virtual account environment are
resistant to this type of file system browsing (e.g. Ensim). Common web
hosting environments such as cPanel have no protection.

Note that turning on safe_mode on the PHP server doesn't solve this
problem. If you have a PHP script that can read/write a file; anyone
else on your server can write a PHP script to read/write the same file.

There are ways to have PHP scripts execute using the userid of the
file containing the script. This makes PHP scripts as secure as CGI
scripts, and it can solve the problem; however, it is places a large
load on the web server and few web hosting providers do this.

An alarming number of web hosting providers fail to tell their clients
that the wonderful PHP/database/bulletin-board systems they offer
are completely open to compromise by other users of the same server.
(I actually posted information about the possibility of compromise on
the public forum pages at one web provider and they took it off and told
me not to do that again. They don't want their clients to know.)

1 to 1 of 1
1 to 1 of 1