How big of a security risk is that 'security risk' really?

zeroality · Post by **zeroality** » Sun Jun 18, 2006 8:11 am

When installing, it checks for your PHP version then whether something is disabled or not, I forget the name. It said that if it's enabled then it exposes a potential security risk, something or the other.

For my host, it was uh enabled.. or disabled? (whichever one is the security risk) so that got me to wondering...

Just how big of a security risk is this, strictly speaking? Because my host probably won't change something like that just for me, unless that's an individual setting and not a global one.

Also why aren't the md5 encryption strings for the passwords in the database salted or somehow beefed up? There are so many md5 reverse lookup sites out there, etc. It's not as secure as it should be.

peaches · Post by **peaches** » Sun Jun 18, 2006 8:21 am

I have the same question. Salting is essentially important as phpbb is open-source and can easily get into the hands of a malicious user.

Post by **Paul** » Sun Jun 18, 2006 8:27 am

You mean register_globals? The most secrity exploits are there because register globals is enabled(not all, but a the most

). If you need register globals, you can better rewrite your script.

zeroality · Post by **zeroality** » Sun Jun 18, 2006 10:11 am

I don't even use php other than a small search engine on my site and phpBB. I'll see if I can get it disabled.

Uchiha Nick · Post by **Uchiha Nick** » Sun Jun 18, 2006 10:50 am

paulus wrote: You mean register_globals? The most secrity exploits are there because register globals is enabled(not all, but a the most ). If you need register globals, you can better rewrite your script.

so true.. globals are evil!

Cheater512 · Post by **Cheater512** » Sun Jun 18, 2006 1:10 pm

Its not much of a security risk.

Think of it this way: You use Windows which is a much bigger security risk.

Post by **Paul** » Sun Jun 18, 2006 1:33 pm

Cheater512 wrote: Its not much of a security risk.

Think of it this way: You use Windows which is a much bigger security risk.

windows using is a security risk, register globals is also a risk. If register globals is off, many exploits don't work

SHS` · Post by **SHS`** » Sun Jun 18, 2006 1:43 pm

Register Globals is something that is termed BAD (Broken As Designed), and come PHP6, if this setting is even detected in php.ini (and some other legacy settings which are just BAD)... PHP6 will refuse to even start and throw an E_CORE error.

zeroality · Post by **zeroality** » Sun Jun 18, 2006 8:47 pm

Well is that something I'd usually be able to disable myself in a hosting ACP? For reference, I use 1and1hosting.

Or would I have to contact them? Would they even be willing to do it?

SHS` · Post by **SHS`** » Sun Jun 18, 2006 8:56 pm

zeroality wrote: Or would I have to contact them? Would they even be willing to do it?

"Suck it and see"

Otherwise... switch hosts.

"Voting with one's feet".

Development Discussion Board

How big of a security risk is that 'security risk' really?

How big of a security risk is that 'security risk' really?

Re: How big of a security risk is that 'security risk' reall

Re: How big of a security risk is that 'security risk' reall

Re: How big of a security risk is that 'security risk' reall

Re: How big of a security risk is that 'security risk' reall

Re: How big of a security risk is that 'security risk' reall

Re: How big of a security risk is that 'security risk' reall

Re: How big of a security risk is that 'security risk' reall

Re: How big of a security risk is that 'security risk' reall

Re: How big of a security risk is that 'security risk' reall