diff --git a/chapters/security.xml b/chapters/security.xml index 063016f61d..b9047c1dbd 100644 --- a/chapters/security.xml +++ b/chapters/security.xml @@ -254,6 +254,22 @@ AddHandler php3-script .php3 + + Keeping Current + + PHP, like any other large system, is under constant scrutiny and + improvement. Each new version will often include both major and + minor changes to enhance and repair security flaws, configuration + mishaps, and other issues that will affect the overall security + and stability of your system. + + + Like other system-level scripting languages and programs, the best + approach is to update often, and maintain awareness of the latest + versions and their changes. + + + Installed as an Apache module @@ -422,14 +438,18 @@ if (!ereg('^[^./][^/]*$', $userfile)) developer who is trying to debug a script, indicating such things as the function or file that failed, the PHP file it failed in, and the line number which the failure occured in. This is all - information that can be exploited. + information that can be exploited. It not uncommon for a php + developer to use show_source(), highlight_string(), or + highlight_file() as a debugging measure, but in a live site, this + can expose hidden variables, unchecked syntax, and other dangerous + information. - For example, the very style of error indicates a system is running - PHP. If the attacker was looking at an .html page, and wanted to - probe for the back-end (to look for known weaknesses in the system), - by feeding it the wrong data they may be able to determine that a - system was built with PHP. + For example, the very style of a generic error indicates a system + is running PHP. If the attacker was looking at an .html page, and + wanted to probe for the back-end (to look for known weaknesses in + the system), by feeding it the wrong data they may be able to + determine that a system was built with PHP. A function error can indicate whether a system may be running a @@ -444,7 +464,9 @@ if (!ereg('^[^./][^/]*$', $userfile)) A filesystem or general PHP error can indicate what permissions the webserver has, as well as the structure and organization of - files on the web server. + files on the web server. Developer written error code can aggravate + this problem, leading to easy exploitation of formerly "hidden" + information. There are three major solutions to this issue. The first is to diff --git a/security/index.xml b/security/index.xml index 063016f61d..b9047c1dbd 100644 --- a/security/index.xml +++ b/security/index.xml @@ -254,6 +254,22 @@ AddHandler php3-script .php3 + + Keeping Current + + PHP, like any other large system, is under constant scrutiny and + improvement. Each new version will often include both major and + minor changes to enhance and repair security flaws, configuration + mishaps, and other issues that will affect the overall security + and stability of your system. + + + Like other system-level scripting languages and programs, the best + approach is to update often, and maintain awareness of the latest + versions and their changes. + + + Installed as an Apache module @@ -422,14 +438,18 @@ if (!ereg('^[^./][^/]*$', $userfile)) developer who is trying to debug a script, indicating such things as the function or file that failed, the PHP file it failed in, and the line number which the failure occured in. This is all - information that can be exploited. + information that can be exploited. It not uncommon for a php + developer to use show_source(), highlight_string(), or + highlight_file() as a debugging measure, but in a live site, this + can expose hidden variables, unchecked syntax, and other dangerous + information. - For example, the very style of error indicates a system is running - PHP. If the attacker was looking at an .html page, and wanted to - probe for the back-end (to look for known weaknesses in the system), - by feeding it the wrong data they may be able to determine that a - system was built with PHP. + For example, the very style of a generic error indicates a system + is running PHP. If the attacker was looking at an .html page, and + wanted to probe for the back-end (to look for known weaknesses in + the system), by feeding it the wrong data they may be able to + determine that a system was built with PHP. A function error can indicate whether a system may be running a @@ -444,7 +464,9 @@ if (!ereg('^[^./][^/]*$', $userfile)) A filesystem or general PHP error can indicate what permissions the webserver has, as well as the structure and organization of - files on the web server. + files on the web server. Developer written error code can aggravate + this problem, leading to easy exploitation of formerly "hidden" + information. There are three major solutions to this issue. The first is to