I’m trying out blacknight.com for WP hosting. One issue I’ve found so far is that they won’t enable passthru, which in turn means WP-DBManager won’t work. I’ve not seen this disabled on any other host. They claim it’s too much of a security risk to enable, saying:
The PHP passthru command is used to execute an external application and as such, vulnerabilities can be exploited to run arbitrary code. It also allows users to run their own binary code, which as a web host is not something we would want to allow.
More importantly, passthru does not respect the open_basedir limitation, so when used in conjunction with PHP running in Apache mode, would allow an insecure script (or done deliberately) to be used to modify any apache owned files on the server including other users sites. You could also dig into the system internals looking for additional core component information, which could make an attackers life a lot easier.
Some providers may be running Apache in CGI mode only, which would limit the ability to do this to a degree – however we offer both CGI and Apache mode as there are a number of limitations when running Apache in CGI mode only.
Now, is every other host I’ve used running insecure servers? Or are blacknight.com wrong about this? I rely a lot on WP-DBManager, so the situation with this might be a deal-breaker in terms of hosting.
- The topic ‘[Plugin: WP-DBManager] passthru and security?’ is closed to new replies.