NuSphere Forums Forum Index
NuSphere Forums
Reply to topic
Security doubts


Joined: 04 Oct 2014
Posts: 1
Reply with quote
Hello,
I am new to NuSphere PHPEd. Anyway I am a little bit cautious to install software to my (publicly accessible) server just because somebody tells me to.

What I have noticed after I uploaded dbg-wizard.php to my web server is that when pointing my browser to this file, it is very open to tell anybody who wants to know a lot of information about my server which I would not like anybody to know. This is not good security practice as it would not be to have a file called phpinfo.php on the server calling the phpinfo() function.

This brings me to the general question if PHPEd respectively its debugger has been developed with security in mind. The script tells me, it is not enough to upload the dbg-wizard.php script but now I even should add a module to my php installation which I am not keen to do at all. I try to cope with security issues in the way that I keep my server software up to date through yum and regarding my own scripts, I try to stay up-to-date to good programming practices (clear use of variable scopes, escaping user submitted variables to prevent sql injection and so on) and also rely on the fact, that my scripts are not a valuable target for a hacker to waste enough time to break them.

So, my questions are:
- If a security bug in PHPed debugger would be found, how do I get noticed in order to update the php script and the php module?
- How can I restrict access to the PHPed debugger so that it is not talking to anybody but me (i.e. my installation of PHPed).

Best Regards,
Ben.
View user's profileFind all posts by cardaSend private message
Guru master

Joined: 24 Jul 2009
Posts: 737
Reply with quote
I believe that normally PhpED removes the dbg-wizard.php after it has done its check; at least on all the sites that I've setup projects for recently, PhpED copies the dbg-wizard, does its check and deletes the file. Under some circumstances where you do not have a publishing account setup, you might have to copy the file manually, which means that you should delete it afterwards.

There are two sets of NuSphere debug modules available; the smaller bundled modules and also a separate module download in your account. That separate download includes modules that support encryption.

The DBG module settings in php.ini allow you to restrict access by IP address, so other PhpED clients will not be able to connect. In addition to that, on the server firewall you can set debugger port to be only available to specific IP addresses such as your broadband and that would probably be a good idea from a perspective of not knowing what vulnerabilities (eg DoS) that DBG may have.

http://www.nusphere.com/kb/technicalfaq/howto_install_dbg_module.htm

Personally I rarely install the DBG module on a whole server, but instead for sites that I want to debug on a public server I use PHP in a mode that allows just that site to have the debugger module installed (eg effectively that site has its own php.ini). Having said that, I only debug on a public server when there is a problem that I cannot debug locally for some reason, then I remove the debugger from the site.

You can of course also debug over an SSH tunnel and that implicitly includes encryption; probably a good way of doing it? http://www.nusphere.com/products/php_editor_ssh_tunnel.htm
View user's profileFind all posts by plugnplaySend private message
Security doubts
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT - 5 Hours  
Page 1 of 1  

  
  
 Reply to topic