FRIHOST FORUMS SEARCH FAQ TOS BLOGS COMPETITIONS
You are invited to Log in or Register a free Frihost Account!


Are calls to Python from PHP for security purposes worth it?





sailor69
Are calls to server-side Python scripts from server-side PHP scripts worth it for security purposes? This would add another layer of security, such as in knowing filenames.
Peterssidan
What security issues are you concerned about?
sailor69
In a link to a PHP script that shows up in the page's code (like in "View Page Source"), such as in the "action" attribute in a form, the reader can learn filenames on your site. It is my understanding that this can be a security issue a hacker can exploit. Also, using a different server-side language than expected could make it more difficult for a hacker to get in, if the call to the Python is only in the server-side PHP script.

I suppose you could also use Python to make call PHP scripts.

I just do not want to contribute to any vulnerability within Frihost to hacking.

Thank you,
sailor69
Peterssidan
You should never trust data that has been sent from the user. It doesn't matter if it's from an input form, a URL parameter, a cookie, or an automatic AJAX request. You always need to validate the input data to make sure it doesn't allow anything malicious, otherwise you'll have a security hole waiting to be exploited.

If there are no security holes in the code I don't think you have to worry about the filenames being known, but no one is perfect so there is of course a chance that there is a mistake somewhere that can be exploited.

The more the hacker knows about the server, the more likely he is to find a weakness. Making it look like you're using PHP when in fact you're using Python is a form of "security through obscurity". It doesn't remove the security holes. It just makes them a little harder to find. This is a relatively weak protection so I'm not sure if it's worth it or not.

I don't know how Python is called from PHP, or if it's even possible on the Frihost servers. If you want to hide file extensions it might be easier to simply use mod_rewrite. If you also want to hide which scripting language and version is being used you need to disable (or change) the X-Powered-By HTTP header. There might be other headers that you want to disable. You can view all headers that your site sends to the user by using Webconfs' HTTP header checking tool.
sailor69
I had not known the term "security through obscurity" and certainly not the history of it.

I do not have the skills of a systems analyst, but I want to do whatever I can to do my part. I suspect your hesitation is due to slowing down of script processing?

I did find the functions popen and pclose on php.net. I'll try them out.
Peterssidan
sailor69 wrote:
I suspect your hesitation is due to slowing down of script processing?

I'm more concerned about complicating things for little or no benefit. If you use popen, how do you plan to pass along the superglobals ($_GET, $_POST, $_SERVER, etc.)? I don't know how these things are handled in Python, and you might not need them for what you're doing, so maybe it's not an issue...

At least you need to be very careful if you use variables to construct the command string that is passed to popen because the last thing you want is to allow hackers to execute commands freely.

Server 1 does not allow popen to be used. It's probably the same for all Frihost servers.
phpinfo() wrote:
disable_functions: exec,system,passthru,shell_exec,escapeshellarg,escapeshellcmd,proc_close,proc_open,dl,popen,show_source,proc_nice, proc_terminate, proc_get_status, proc_close, pfsockopen, leak, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid,dl,symlink
Related topics
Problem installing phpBB2
Remote Desktop Connection
php security problem
WordPress Glitch
[PHP/security] sending content over SSL
gd support for freetype
Flash, PHP and MySQL
what is a simple good CMS?
PHP variable problem
need help with a script
March to be the Month of PHP Bugs
PHP Security problems with latest frihost changes
PHP Security
Form Input variable
Creating a Blog in PHP - is it worth it?
Reply to topic    Frihost Forum Index -> Scripting -> Php and MySQL

FRIHOST HOME | FAQ | TOS | ABOUT US | CONTACT US | SITE MAP
© 2005-2011 Frihost, forums powered by phpBB.