Bugtraq mailing list archives
Re: Possible bug in PHPNuke and other CMS
From: BlueRaven <blue () ravenconsulting it>
Date: Fri, 4 Jun 2004 14:25:07 +0200
Il giorno 01/giu/04, alle 19:13, Luca Falavigna ha scritto:
File permissions must always permit execution of php pages by web servers. And symlink is followed and code executed because web servers must have access to that directory and code. We can operate with php security options too and obtain the same result but what if we cannot modify them? We are uncovered!!!
Agreed, but I think that, in this case, the real problem would be an insecure configuration of the underlying webserver: any security-aware administrator should configure it to NOT follow symlinks or, at last, follow them if and only if the destination file belongs to the same user (SymLinksIfOwnerMatch directive in Apache).
-- BlueRaven Did you know that, if you play a Windows 2000 CD backwards, you will hear the voice of Satan? That's nothing! If you play it forward, it will install Windows 2000!!!
Current thread:
- Re: Possible bug in PHPNuke and other CMS Peter Hagstrøm (Jun 01)
- <Possible follow-ups>
- Re: Possible bug in PHPNuke and other CMS Alexander GQ Gerasiov (Jun 01)
- Re: Possible bug in PHPNuke and other CMS Luca Falavigna (Jun 01)
- Re: Possible bug in PHPNuke and other CMS BlueRaven (Jun 04)
- Re: Possible bug in PHPNuke and other CMS Luca Falavigna (Jun 01)