NYCPHP Meetup

NYPHP.org

[nycphp-talk] FUNDAMENTALS #1: Site Structure

Sexton, David David.SextonJr at ubs.com
Thu Sep 4 11:10:02 EDT 2003 

True. I guess it's actually a moot point since we're talking about security
in general. Whether you place your files in one directory or another... if
someone gains significant access to the box, you're exposed. Then again,
someone gaining FTP access using brute force could download the PHP source
code if it's in a readable directory, and considering many hosts grant FTP
access to your webroot, it would be safer to place the files somewhere else.

-----Original Message-----
From: David Sklar [mailto:sklar at sklar.com]
Sent: Thursday, September 04, 2003 10:55 AM
To: NYPHP Talk
Subject: RE: [nycphp-talk] FUNDAMENTALS #1: Site Structure


> SO, I guess if you're up to
> date on all your patches, security concerns shouldn't influence
> anyone's decision to place includes in location A rather the B.

Being "up to date on all your patches" is a theoretical goal state never
achieved in practice for any signficant length of time. Even if you think
you've installed all of the currently available and relevant patches for all
of the software running on your web server, your database server, your VPN
server, your firewall, your dialup server, your employee desktops, your
coffee maker, and your pet hamster, new vulnerabilities will be discovered
and new patches released.

Security concerns should definitely influence how you organize your site.
Running Apache and/or MySQL in a chroot jail, for example, is still a good
idea even for the patch-vigilant.

David

_______________________________________________
talk mailing list
talk at lists.nyphp.org
http://lists.nyphp.org/mailman/listinfo/talk


Please do not transmit orders or instructions regarding a UBS account by
email. The information provided in this email or any attachments is not an
official transaction confirmation or account statement. For your protection,
do not include account numbers, Social Security numbers, credit card
numbers, passwords or other non-public information in your email. Because
the information contained in this message may be privileged, confidential,
proprietary or otherwise protected from disclosure, please notify us
immediately by replying to this message and deleting it from your computer
if you have received this communication in error.  Thank you.

UBS Financial Services Inc.
UBS International Inc.

More information about the talk mailing list