Bugtraq mailing list archives
Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure
From: "Stefan Kanthak" <stefan.kanthak () nexgo de>
Date: Tue, 13 Aug 2013 21:36:32 +0200
"Reindl Harald" <h.reindl () thelounge net> wrote:
Am 12.08.2013 23:32, schrieb coderaptor:Why can't enable_functions be pre-populated with known good functions, and everything else disabled? Again, sacrificing security convenience is the norm.if you would only have the slightest clue what you are speaking about you would not ask that naive [harry@srv-rhsoft:~]$ php -r "print_r(get_defined_functions());" | wc -l 1330 oh, and they depend on the loaded extensions (inlcuding 3rd party extensions) oh, and they *all* would have to be classified if, how and in which context they all may or may not have a secuirity impact
That's one of the duties/tasks of their developer(s): WTFM!
ALL software MUST come with SECURE DEFAULTS. PERIOD. Anyone who thinks otherwise should fly in an aircraft running his own designed software. Knowledgeable Admins are not an alternative to secure defaults, rather I'd prefer both.*define what is secure* and make sure you define it by context unlink('file_my_script_wrote'); is fine
No, its UNSAFE! The standard use case of PHP is "preprocessor for HTTP demon". There is ABSOLUTELY no need to allow the preprocessor to unlink a file.
unlink($_GET['what_ever_input']): is a security hole
No, not necessarily. The user who can run $ php -r "unlink($_GET['what_ever_input']);" can also run $ rm "$SOMEFILE" OTOH: the user who can instruct his web browser to fetch <http://example.org/index.html> is not able to unlink $SOMEFILE by calling "rm".
so do we now disable unlink();
Not WE, but the developer. All functions which are not used in the typical operating environment of the resp. program (see above) have to be turned off by default. "file handling" is NONE of PHPs typical operations! Stefan Kanthak
Current thread:
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure, (continued)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure coderaptor (Aug 13)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Reindl Harald (Aug 13)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure coderaptor (Aug 13)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Reindl Harald (Aug 13)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure terry white (Aug 13)
- Message not available
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Chris Meisinger (Aug 13)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Jorge Dorantes (Aug 13)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure James Birk (Aug 13)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Mike Ely (Aug 13)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Matthew Caron (Aug 13)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Stefan Kanthak (Aug 13)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Reindl Harald (Aug 13)