security
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
security [2016/11/11 12:29] – krakjoe | security [2016/11/11 19:10] – krakjoe | ||
---|---|---|---|
Line 4: | Line 4: | ||
* Date: November 2016 | * Date: November 2016 | ||
* Version: 1.0.0 | * Version: 1.0.0 | ||
+ | * RFC: [[rfc: | ||
====== Introduction ====== | ====== Introduction ====== | ||
Line 37: | Line 38: | ||
This category also may include issues that require special code or code pattern if such code or pattern is present in many popular libraries. | This category also may include issues that require special code or code pattern if such code or pattern is present in many popular libraries. | ||
- | This kind of issues usually | + | This kind of issues usually |
===== Medium severity ===== | ===== Medium severity ===== | ||
Line 53: | Line 54: | ||
===== Low severity ===== | ===== Low severity ===== | ||
- | This issue allows theoretical compromise of security, but practical attack is usually impossible or extremely hard due to common practices or limitations that are virtually always present. | + | This issue allows theoretical compromise of security, but practical attack is usually impossible or extremely hard due to common practices or limitations that are virtually always present |
This also includes problems with configuration, | This also includes problems with configuration, | ||
Line 67: | Line 68: | ||
We do not classify as a security issue any issue that: | We do not classify as a security issue any issue that: | ||
- | * requires invocation of specific code (unless it is a very simple frequently used code, such as starting a session, calling a constructor, | + | * requires invocation of specific code, which may be valid but is obviously malicious |
- | * requires invocation of functions with specific arguments | + | * requires invocation of functions with specific arguments, which may be valid but are obviously malicious |
- | * requires specific actions to be performed on the server | + | * requires specific actions to be performed on the server, which are not commonly performed, or are not commonly |
* requires privileges superior to that of the user (uid) executing PHP | * requires privileges superior to that of the user (uid) executing PHP | ||
* requires the use of debugging facilities - ex. xdebug, var_dump | * requires the use of debugging facilities - ex. xdebug, var_dump | ||
* requires the use of settings not recommended for production - ex. error reporting to output | * requires the use of settings not recommended for production - ex. error reporting to output | ||
* requires the use of non-standard environment variables - ex. USE_ZEND_ALLOC | * requires the use of non-standard environment variables - ex. USE_ZEND_ALLOC | ||
- | * requires the use of non-standard builds | + | * requires the use of non-standard builds |
* requires the use of code or settings known to be insecure | * requires the use of code or settings known to be insecure | ||
Line 86: | Line 87: | ||
Q. How do I report a security issue?\\ | Q. How do I report a security issue?\\ | ||
- | A. Please report it on http:// | + | A. Please report it on http:// |
Q. What do you consider a responsible disclosure? | Q. What do you consider a responsible disclosure? |
security.txt · Last modified: 2024/01/30 17:35 by derick