Page 365 - Open Soource Technologies 304.indd
P. 365
Unit 14: Security
This means that session files can be read by any PHP script on the server, as all PHP scripts run Notes
with the same web server ID. In situations where your PHP code is stored on an ISP’s server
that is shared with other users’ PHP scripts, variables you store in your sessions are visible to
other PHP scripts.
Even worse, other users on the server can create files in /tmp. There’s nothing preventing a
user from creating a fake session file that has any variables and values he wants in it. The user
can then have the browser send your script a cookie containing the name of the faked session,
and your script will happily load the variables stored in the fake session file.
One workaround is to ask your service provider to configure their server to place your session
files in your own directory. Typically, this means that your VirtualHost block in the Apache
httpd.conf file will contain:
php_value session.save_path /some/path
If you have .htaccess capabilities on your server and Apache is configured to let you override
options, you can make the change yourself.
For the most secure session variables possible, create your own session store (e.g., in a database).
14.4.4 Safe Mode
Many ISPs have scripts from several users running on one web server. Since all the users who
share such a server run their PHP scripts as the same user, one script can read another’s data
files. Safe mode is an attempt to address this and other problems caused by shared servers.
If you are not sharing your server with other users that you do not trust, you do not need to
worry about safe mode at all.
When enabled through the safe_mode directive in your php.ini file, or on a per-directory or per-
virtual host basis in your httpd.conf file, the following restrictions are applied to PHP scripts:
• PHP looks at the owner of the running script and pretends to run as that user.
• PHP cannot switch the user ID via a setuid( ) call because that would require the web
server to run as root and on most operating systems it would be impossible to switch
back.
• Any file operation (through functions such as fopen( ), copy( ), rename( ), move( ), unlink
( ), chmod( ), chown( ), chgrp( ), mkdir( ), file( ), flock( ), rmdir( ), and dir( )) checks to see
if the affected file or directory is owned by the same user as the PHP script.
• If safe_mode_gid is enabled in your php.ini or httpd.conf file, only the group ID needs
to match.
• include and require are subject to the two previous restrictions, with the exception of
includes and requires of files located in the designated safe_mode_include_dir in your
php.ini or httpd.conf file.
• Any system call (through functions such as system( ), exec( ), passthru( ), and popen( ))
can access only executables located in the designated safe_mode_exec_dir in your php.
ini or httpd.conf file.
• If safe_mode_protected_env_vars is set in your php.ini or httpd.conf file, scripts are
unable to overwrite the environment variables listed there.
• If a prefix is set in safe_mode_allowed_env_vars in your php.ini or httpd.conf file,
scripts can manipulate only environment variables starting with that prefix.
• When using HTTP authentication, the numerical user ID of the current PHP script
is appended to the realm string to prevent cross-script password sniffing, and the
authorization header in the getallheaders( ) and phpinfo( ) output is hidden.
LOVELY PROFESSIONAL UNIVERSITY 359
