[BlueOnyx:19766] Re: Enabling the rewrite module in Apache config

Greg Kuhnert gkuhnert at compassnetworks.com.au
Fri Jun 24 20:19:23 -05 2016 

Hi Michael.

Nothing like a little friendly debate… and in this case I disagree with you… Your email below talked about “all bets of server integrity are off” if we allow end users to set allow_url_fopen and allow_url_include to on. I disagree with that statement. 

Yes, allow_url_fopen and allow_url_include are bad. I agree 100% with you on that. It is a common vector for attack. However, there are apps that need those functions turned on to (for example) perform auto updates for patching. 

The reason I classified open_base_dir as a showstopper  (if not using suphp etc) is because if it gets changed in .htaccess, it can let a malicious script get outside a restricted directory tree. And without suphp file permissions, you can have a seriously damaged box in a very short time. On the other hand, if you use suphp or similar, any change to openbasedir won’t help the bad guys since the file system is protected by a more sophisticated mechanism. Yes, bad guys can do damage to a single website, but not the overall server infrastructure.

I am still comfortable to turn on AllowOverride Options… As long as my server infrastructure is protected, I don’t mind letting end users do what they like in their own sandpit. And if it breaks for them, that is their problem (and I am happy to charge a fee to fix their site).

:)

GK


> On 25 Jun 2016, at 7:02 AM, Michael Stauber <mstauber at blueonyx.it> wrote:
> 
> Hi all,
> 
> Greg wrote:
>> The biggest risk in my opinion relates to open_basedir.
> 
> That and "allow_url_fopen" and "allow_url_include", which are fruit of
> the poison tree. If these are on, all bets of server integrity are off.
> A vulnerable script can then be tricked into including remotely hosted
> PHP code and executing it as if it were part of the original PHP
> application that you host.
> 
> -- 
> With best regards
> 
> Michael Stauber
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it
> http://mail.blueonyx.it/mailman/listinfo/blueonyx

More information about the Blueonyx mailing list