PHP is a very popular language with many flawed security features. Every PHP developer and hoster should understand the primary attack vectors being used by attackers against PHP applications. This article is the underlying research behind the SANS Top 20 2005´s PHP section. The methodology used in the preparation of this article is to review all Bugtraq postings containing the word PHP and categorize each unique flaw.
Safe Mode implemented without design or thought is simply not safe. It cannot be made to be safe, and does not add any actual safety. Most of the restrictions implemented by safe mode can be worked around by clever hacks. These have been extensively used by software which needs to get around the safe_mode restrictions to operate, and many PHP attacks which seem to bypass it like a hot knife running through butter.
Hosters, do not just switch safe_mode on and lock it down hard. Such controls rarely work as expected, and more to the point it does not prevent any of the five major attack vectors presented in this paper. Only code reviews and ensuring that code is tested for security flaws can the risk of attack be reduced.
This is not to say that safe_mode is useless. Well designed software can use thoughtfully chosen safe_mode restrictions to improve defense in depth. Such software should be given that opportunity by using .htaccess (or similar mechanisms) to selectively enable safe_mode restrictions as they need.Read Full Story