[Owasp-leaders] Fwd: PHP Security Cheat Sheet reboot

Abbas Naderi Afooshteh abbas.naderi at owasp.org
Sun Jul 8 20:13:54 UTC 2012

Hi Achim,
Sorry i'm sharing it with people without your permission, I want a general discussion on the matter.

Let's provide a brief description for others (read more at discussion page of PHP Security Cheat Sheet https://www.owasp.org/index.php/Talk:PHP_Security_Cheat_Sheet)

We have a discussion about whether practice or security comes first. Achim states that error_reporting should be off, as well as upload_files, and disable a list of functions. 

I, on the other hand, insist that practice comes first. I say that if we do error_reporting off, since every application needs debugging and debugging needs error reporting, developers are bound to turn it on due to inconvenience and leave it that way. My proposed solution was to provide a basic framework around this that controls error reporting (it should be on in PHP settings) and log errors for usual website user and display it when admin logs in or when in development machine (adaptive code).

Also Achim states that we should disable options like allow_url_fopen, but I'm saying that LFI is insecure enough and can be converted to RFI without much hassle, so we should raise awareness and let developers never do LFI instead of shutting RFI's obvious method.

I want to know your opinion on this, so that I might learn a thing or two.

PS. I mostly agree with Achim on this topic, but had to separate ways for a more clear discussion on this mail.
Notice: This message is digitally signed, this means that its source and integrity are verifiable.
Certain mail clients would automatically verify this email and present a "signed and sealed" sign, but others might just provide  a downloadable file (smime.p7s), which includes the X.509 certificate and the signature body.
In this case, you can either ignore it or manually verify it. Read more on this at Certified E-Mail with Comodo and Thunderbird at AbiusX.com

Begin forwarded message:

> From: Achim <achim at owasp.org>
> Subject: Re: PHP Security Cheat Sheet reboot
> Date: تیر ۱۹, ۱۳۹۱، ساعت ۰:۱۴:۴۳ (GMT+۰۴:۳۰)
> To: Abbas Naderi Afooshteh <abbas.naderi at owasp.org>
> Reply-To: Achim <achim at owasp.org>
> Am 02.07.2012 22:52, schrieb Abbas Naderi Afooshteh:
>> Hello leaders,
>> I'm rebooting
>> https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet
> Hi Abbas,
> have read your comment in the disussion page.
> When I read your comments, it looks to me that you want to make
> a cheat sheet for easy developing. But the  S  in owaSp stands
> for security and not for "simple" debugging.
> OWASP's suggestions and recomendations are about security first.
> And here the security server-side, then security according user
> and user-data client-side. If that works we try to not break well
> working existing systems.
> Developers have to follow OWASP recomendation and not OWASP have
> to follow lazy developers.
> Said this, any development, staging or testing system can be setup
> without security if they are not at risk. But a system in production
> has to be seucre. In particular do productive system not expose
> error message but provide a simple 
> 	"An error has occured, transaction aborted."
> message if any security violation is detected.
> One step in security is to avoid information disclosure.
> We should not change these rules in the PHP cheat sheet.
> Do you agree?
> Achim

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20120709/4527fe79/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4889 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20120709/4527fe79/attachment.bin>

More information about the OWASP-Leaders mailing list