WebApp Sec mailing list archives

Re: Mambo, Coppermine and PHPBB Attacks

From: ascii <ascii () katamail com>
Date: Fri, 30 Dec 2005 04:16:23 +0100

Yasuo Ohgaki wrote:

OWASP guideline may be better to be updated, since allow_url_fopen=off
is not practical and allow_url_fopen=off does not provide good enough safe guard.


good points

allow_url_fopen and many other functions try to do their best at the
application level

often php is uber hardened while cgi and exec are still allowed

so imho the best combination is:
 - try to solve the problem with php settings (url fopen, open basedir,
   exec dir, etc) and with apache (the favolous perchild concept :P)
 - set up some acl system like selinux or rsbac
 - set up grsec and use the group socket restrictions

is there somebody "developing" mpm-perchild?

too late for long emails,
Francesco 'ascii' Ongaro - http://www.ush.it/

Current thread:

Mambo, Coppermine and PHPBB Attacks Mark Ryan del Moral Talabis (Dec 18)
- RE: Mambo, Coppermine and PHPBB Attacks John Cobb (Dec 19)
- Re: Mambo, Coppermine and PHPBB Attacks Paul Laudanski (Dec 20)
  - Re: Mambo, Coppermine and PHPBB Attacks Tofik Suleymanov (Dec 20)
    - Re: Mambo, Coppermine and PHPBB Attacks Paul Laudanski (Dec 21)
    - Re: Mambo, Coppermine and PHPBB Attacks Yasuo Ohgaki (Dec 24)
    - Re: Mambo, Coppermine and PHPBB Attacks Paul Laudanski (Dec 24)
    - Re: Mambo, Coppermine and PHPBB Attacks Yasuo Ohgaki (Dec 25)
    - Re: Mambo, Coppermine and PHPBB Attacks Paul Laudanski (Dec 25)
    - Re: Mambo, Coppermine and PHPBB Attacks Yasuo Ohgaki (Dec 29)
    - Re: Mambo, Coppermine and PHPBB Attacks ascii (Dec 29)
    - Re: Mambo, Coppermine and PHPBB Attacks Andrew van der Stock (Dec 29)
    - Re: Mambo, Coppermine and PHPBB Attacks Jack Tennessee (Dec 22)