Реформа файловых_файлов в php.ini
Форум
  1. Forums
  2. General
  3. General Discussion
  1. John Carne
  2. Tuesday, 27 December 2016
  3.  Subscribe via email
Hi,

Even if we use CXS to protect websites, it is not sufficientsometimes, many hackers succeeded to take control over websites by injecting a pyramid of files which are not detected as exploit or virus, but rather these were efficient php scripts which we truly traveling in the site files until it got to sensitive datas.
We saw that dozens of times this year, and it is true that some modules/templates with exploits had facilitated the job of the hacker...

mail, sendmail are now forbidden on our servers, this is also an incredible spam expoit, and deprecated totally...

file_uploads is a security disease on which PHP community has never made efforts to reform itselves, may be cloudlinux will take over the challenge...

We suggest :
existing file_uploads = OFF all the time
adding a second file_uploads_sess by ex, which can override orignal file_uploads, and which would be ON by default of course : file_uploads_sess = ON

Conditions are authentication, only those who are authenticated successfully could send a file (only these need to be able to do that, begining by the webmaster to create his products in his shops or a blogger post his articles + pictures) :
- webmaster through admin website
- a user forum or client of website also for support by example : he can send a screenshot
- for contact form without authentication :  we could introduce a secondary acceptable condition : captcha

Thanks for attention,
John
Rate this post:
  1. 04.01.2017 07:01:14
  2. # 1
Bogdan Accepted Answer
Posts: 709
Joined: 26.06.2013
0
Votes
Undo
Hi,

You are saying right things here, however, we are not developing php and not adding any own features to it. We just implement existing builds/patches for it.. If the feature will exist by some extension - sure we will include it.

Suppose you have to say the same on php.net . That is the right place for such feature.
  1. 11.01.2017 13:01:59
  2. # 2
John Carne Accepted Answer
Posts: 5
Joined: 22.02.2015
0
Votes
Undo
Don\'t have a clue how to open a thread there :
http://ro1.php.net/support.php
  1. 12.01.2017 04:01:48
  2. # 3
Bogdan Accepted Answer
Posts: 709
Joined: 26.06.2013
0
Votes
Undo
Suppose the right way is to create a bugreport about it however use \'Feature\' as a type at https://bugs.php.net/report.php .

Or, use a \"General user list\" from their mailing lists: http://php.net/mailing-lists.php
  1. 12.01.2017 07:01:26
  2. # 4
John Carne Accepted Answer
Posts: 5
Joined: 22.02.2015
0
Votes
Undo
Done, these guys are unreachable !
  1. 13.01.2017 09:01:59
  2. # 5
John Carne Accepted Answer
Posts: 5
Joined: 22.02.2015
0
Votes
Undo
They answered :

 
This is a feature request. Besides that it's not clear to me
how PHP should check the authorization, introducing a new ini
option would require the RFC process[1], so I'm suspending this
request until someone cares to propose a respective RFC.
 
http://wiki.php.net/rfc/howto
  1. 13.01.2017 11:01:28
  2. # 6
Bogdan Accepted Answer
Posts: 709
Joined: 26.06.2013
0
Votes
Undo
That is what I was talking about.. Coding a new features is done by php.net and their policies. But overall yes, looks like they are unreachable.

Sorry, but we can not help from our side.
  • Page :
  • 1


There are no replies made for this post yet.
Be one of the first to reply to this post!
гость
Submit Your Response
Upload files or images for this discussion by clicking on the upload button below. Supports gif,jpg,png,zip,rar,pdf
• Insert • Remove Upload Files (Maximum File Size: 2 MB)
Captcha
To protect the site from bots and unauthorized scripts, we require that you enter the captcha codes below before posting your question.
By submitting the response, you agree with Cloudlinux Privacy Policy