Bugtraq mailing list archives
Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure
From: Reindl Harald <h.reindl () thelounge net>
Date: Tue, 13 Aug 2013 21:57:59 +0200
Am 13.08.2013 21:36, schrieb Stefan Kanthak:
*define what is secure* and make sure you define it by context unlink('file_my_script_wrote'); is fineNo, its UNSAFE! The standard use case of PHP is "preprocessor for HTTP demon". There is ABSOLUTELY no need to allow the preprocessor to unlink a file.
come back to reality the standard usecase of PHP is develop WEB-APPLICATIONS which are typically deal with file-uploads and such things, you can whine about it but *that is* the usecase of PHP
unlink($_GET['what_ever_input']): is a security holeNo, not necessarily. The user who can run $ php -r "unlink($_GET['what_ever_input']);" can also run $ rm "$SOMEFILE"
if you would have a clue what are you speaking about you would know what $_GET is - hint: it has nothing to do with a terminal
OTOH: the user who can instruct his web browser to fetch <http://example.org/index.html> is not able to unlink $SOMEFILE by calling "rm".
wow - without you explaining the world that statically html pages are safe we would go down - genius for that you do not need suEXEC, perl, PHP or whatever at all
so do we now disable unlink();Not WE, but the developer. All functions which are not used in the typical operating environment of the resp. program (see above) have to be turned off by default. "file handling" is NONE of PHPs typical operations!
why do people which never wrote a serious web-application not simply shut up in this thread?
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure, (continued)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Reindl Harald (Aug 13)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure coderaptor (Aug 13)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Reindl Harald (Aug 13)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure terry white (Aug 13)
- Message not available
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Chris Meisinger (Aug 13)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Jorge Dorantes (Aug 13)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure James Birk (Aug 13)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Mike Ely (Aug 13)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Matthew Caron (Aug 13)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Stefan Kanthak (Aug 13)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Reindl Harald (Aug 13)