"return flase" causes PHP website to be hacked

You can talk about almost anything that you want to on this board.

Moderator: Moderators

tepples
Posts: 22284
Joined: Sun Sep 19, 2004 11:12 pm
Location: NE Indiana, USA (NTSC)
Contact:

Re: "return flase" causes PHP website to be hacked

Post by tepples » Fri Mar 08, 2019 8:23 am

I imagine that PHP team would reply that if a log file is not "something immediately visible by the programmer", then you need to change your PHP configuration so that it is. For example, give your developer read permission on PHP's error log (and traversal permission to its parent directories) without having to become root each time.

Detailed error logs provide knowledge of the internals of a program. If you're developing a web application open to the public, which is still a common use case for PHP, you don't want an attacker to have this knowledge, as it could highlight a defect in your program that the attacker could use to compromise the confidentiality, integrity, or availability (CIA) of your application.

From the error reporting configuration in the PHP documentation:
display_errors (string)

This determines whether errors should be printed to the screen as part of the output or if they should be hidden from the user.
[...]
Note:
This is a feature to support your development and should never be used on production systems (e.g. systems connected to the internet).

Post Reply