Any PHP framework to use SECURELY on shared hosting?

Question

Are there PHP frameworks that would allow me to generate an application and then use it SECURELY on a shared hosting, as far as a shared hosting security can be achieved? By this I mean, for example, not requiring any app/tmp directory with 777 access.

Not Symfony -> http://trac.symfony-project.org/wiki/SharedHostingNotSecure

Not CakePHP -> http://book.cakephp.org/view/911/Permissions

CodeIgniter -> "If you're a developer who lives in the real world of shared hosting accounts and clients with deadlines..." - looks promising, maybe this one? But I couldn't find anything specific to shared hosting file permissions in the documentation

Maybe ZendFramework? (I am not sure if it is the same category as PHP framework, looks like)

Any existing possible frameworks to use SECURELY on shared hosting??

Answer 1

You're looking at the right problem from the wrong point of view.

Having a directory with the rights 777 is not unsecure per se.

Having a 777'ed directory on a shared hosting is unsecure, because the http daemon is run for all clients under the same system account.

It is an intrinsic "feature" of shared hosting , that's why it's the cheapest. Yep, it's not cheap for nothing, it's cheap at the price of security.

If security is that important to you, buy a VPS. Nowadays VPSes are cheap enough.

Answer 2

Having to declare directories with 777 permissions is only a problem on cheapo and entry-level shared hosting systems. It's common to see the safe_mode hack and openbasedir restrictions in that area, which only prevent access via PHP but not other CGI interpreters.

Contemporary server setups use suexec/suphp , where every PHP scripts runs under the current accounts permissions. Therefore you don't need any world-write directories and most PHP application should be secure against cross-account tampering at least. The framework itself doesn't make a difference here.

Answer 3

I suggest Zend Framework . Doesn't require any file permissions as far as I know. Just needs some proper configuration. And yes, it is a PHP Framework. My entire library is under root owner, with read permissions for everyone and it works fine. Never needed to chmod anything. When it comes to libraries you can always define your own tmp path if it's needed by the class.

Answer 4

Most successful attacks happen because the user/admin sticks with the defaults; which are well-known. See Windows attacks. It's unbelievable how many "administrators" keep not only default URLs, default directory structures but also User IDs and passwords. On my website I see repeatedly some log in attempts at /wp-login.php with ID:PW as admin:admin. I don't even know if these are some defaults and my website is not even WP but it seems to be and I think those hackers will get lucky every once in a while.

Security I believe is always about raising the bar, make it more difficult. There is never a 100% guarantee of security. I think you can choose whatever framework or application but it is your job to make it more difficult by changing the defaults.

I can only speak for ZF and you can do some freaky configuration nobody will ever guess; unless your application has occasional errors and you show your error messages with full information.