The Register is running a story today TinyURL, your configs are showing which points out that TinyURL has a /php.php page displaying the contents of phpinfo().
The article then goes on to make some scary sounding claims from security consultant Rafal Los "Why would you want to run a web service as 'Administrator' because if I figure out a way to jack that service, I completely, 100% own that machine." and "More importantly... why is this server running as ROOT:WHEEL?!"
Sorry Rafal - but you appear to have no idea how web servers work, or all that much about (web) security.
All unix based webservers start as root if they want to bind to the restricted (and default) port 80, after which they switch to the configured UID for request handling. So, right there, goes all Rafal's claims about pwning the machine.
Check your own server, the _SERVER and _ENV values will reflect the starting shell/environment, which just happens to be root. In other words, there is nothing wrong with the settings. Having said that, they do have register_globals turned on, which isn't ideal - but it isn't a gaping hole if the underlying php code is safely coded.
Also to TinyURL's credit, they are running Suhosin patch to harden their server. They're also running the latest production PHP (which is more than I can say). Granted, they probably don't want to be exposing phpinfo() - but this all just an overblown storm in a teacup.
The article then goes on to make some scary sounding claims from security consultant Rafal Los "Why would you want to run a web service as 'Administrator' because if I figure out a way to jack that service, I completely, 100% own that machine." and "More importantly... why is this server running as ROOT:WHEEL?!"
Sorry Rafal - but you appear to have no idea how web servers work, or all that much about (web) security.
All unix based webservers start as root if they want to bind to the restricted (and default) port 80, after which they switch to the configured UID for request handling. So, right there, goes all Rafal's claims about pwning the machine.
Check your own server, the _SERVER and _ENV values will reflect the starting shell/environment, which just happens to be root. In other words, there is nothing wrong with the settings. Having said that, they do have register_globals turned on, which isn't ideal - but it isn't a gaping hole if the underlying php code is safely coded.
Also to TinyURL's credit, they are running Suhosin patch to harden their server. They're also running the latest production PHP (which is more than I can say). Granted, they probably don't want to be exposing phpinfo() - but this all just an overblown storm in a teacup.
![General [rss]](http://pgregg.com/mt-static//images/status_icons/feed.gif){kind=icon}
Heh nice post, The Register is further down my feeds so hadn't got around to reading that yet, but yes, you're right!
are you an idiot? php hostings are normally showing their configs... no big deal
"o", Perhaps you didn't read the article correctly - I'm claiming there is no flaw and I am debunking the original story.
o: You realise, of course, that Paul is pointing out the idiocy of the analyst in the Register article, in stating that the phpinfo is a huge security risk.
You are, in fact, agreeing with Paul. No need to call him an idiot.
I did find it somewhat amusing to read - heaven forbid someone finds out a web server's IP address...
You certainly don't want to show the phpinfo output, as well as you don't wanna show the apache (or other webservers) version number.
In a perfect world, you update your servers right at the time that flaws are known, and your code's perfectly fine.
In a not so perfect world, you try to hide as much information as possible.
And if you forgot to get rid of this phpinfo display, who knows what else you forgot?
You're right about the root thing of course but the contents of the phpinfo() output still reveal some potential weaknesses in their system.
As I pointed out in El Reg's comments, register_globals is on for starters. Of course, half of you are now screaming at me that it's not a security risk per se and you're right to an extent but it sure is a real big pointer that secure coding best practices are not being properly followed. Slapping Suhosin on the server and relying on that to protect the contents of your super globals just don't cut it these days.
If your code doesn't stick to the golden rules, sooner or later someone will get into it. On a service so widely used and (perhaps unwisely) trusted as TinyURL, that could cause all manner of problems...