Question about PHP safe mode

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Question about PHP safe mode

Markus Rosjat
Hi there,

just a short question... I have quiet old 4.2 OpenBSD with a 5.2.4 PHP
version. The safe_mode is on, a Costumer wants to have it off. Is there
any security risk to it  or do I need to check something on the system
level to disable it but still have my environement secured ?

regards

--
Markus Rosjat    fon: +49 351 8107223    mail: [hidden email]

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220   fax: +49 351 8107227

Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT

Reply | Threaded
Open this post in threaded view
|

Re: Question about PHP safe mode

Heiko Zimmermann-5
Markus,

are you kidding?

http://www.cvedetails.com/vulnerability-list/vendor_id-74/product_id-128/version_id-50739/PHP-PHP-5.2.5.html

And OpenBSD 4.2 is released Nov 1, 2007. You dont think it is important
to upgrade?

Best Regards,
Heiko

Am 23.06.2015 um 11:44 schrieb Markus Rosjat:
> Hi there,
>
> just a short question... I have quiet old 4.2 OpenBSD with a 5.2.4 PHP
> version. The safe_mode is on, a Costumer wants to have it off. Is there
> any security risk to it  or do I need to check something on the system
> level to disable it but still have my environement secured ?
>
> regards

Reply | Threaded
Open this post in threaded view
|

Re: Question about PHP safe mode

Stuart Henderson
In reply to this post by Markus Rosjat
On 2015-06-23, Markus Rosjat <[hidden email]> wrote:
> Hi there,
>
> just a short question... I have quiet old 4.2 OpenBSD with a 5.2.4 PHP
> version. The safe_mode is on, a Costumer wants to have it off. Is there
> any security risk to it  or do I need to check something on the system
> level to disable it but still have my environement secured ?

safe_mode was removed in PHP 5.4.

Take a look at http://php.net/supported-versions.php - so,
safe_mode is not available in any version of PHP which is still
receiving security updates.

PHP 5.2.4 definitely has a security risk to it, if you're running PHP,
*especially* with customer-provided or otherwise untrusted scripts, you
really ought to be tracking recent versions closely.

Suggestion: setup a new machine/VM with OpenBSD 5.7, install the newest
PHP version, run openup (https://stable.mtier.org/) regularly to get
updated versions, and get your customer to move across to it (this
should be an easy decision for them to make as they want safe_mode
off anyway). And arrange a process to keep things up-to-date...

Reply | Threaded
Open this post in threaded view
|

Re: Question about PHP safe mode

Markus Rosjat
In reply to this post by Heiko Zimmermann-5
Hey Guys,

thanks for the response

Am 23.06.2015 um 11:56 schrieb Heiko Zimmermann:
> Markus,
>
> are you kidding?
>
> http://www.cvedetails.com/vulnerability-list/vendor_id-74/product_id-128/version_id-50739/PHP-PHP-5.2.5.html
Im aware that php isn't a thing you want to use in a 5.2.4 but we don't
have customers who are using php scripts anyway for now. Just one
customer asked if we could switch off the safe_mode.
> And OpenBSD 4.2 is released Nov 1, 2007. You dont think it is important
> to upgrade?
Sure it is, if you grand me 35h/day I will upgrade it right now ...

> Best Regards,
> Heiko
>
> Am 23.06.2015 um 11:44 schrieb Markus Rosjat:
>> Hi there,
>>
>> just a short question... I have quiet old 4.2 OpenBSD with a 5.2.4 PHP
>> version. The safe_mode is on, a Costumer wants to have it off. Is there
>> any security risk to it  or do I need to check something on the system
>> level to disable it but still have my environement secured ?
>>
>> regards

--
Markus Rosjat    fon: +49 351 8107223    mail: [hidden email]

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220   fax: +49 351 8107227

Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT

Reply | Threaded
Open this post in threaded view
|

Re: Question about PHP safe mode

Stuart Henderson
On 2015-06-24, Markus Rosjat <[hidden email]> wrote:
>> And OpenBSD 4.2 is released Nov 1, 2007. You dont think it is important
>> to upgrade?
> Sure it is, if you grand me 35h/day I will upgrade it right now ...

If you don't have time to upgrade, you surely don't have time to
investigate a security breach.