Full Disclosure mailing list archives

Re: FWD: PhotoPost vBGallery ImportantSecurity Bulletin

From: trains <trains () doctorunix com>
Date: Fri, 11 Jan 2008 12:51:10 -0600

Quoting php0t <php0t () zorro hu>:

From: "trains" <trains () doctorunix com>

The "AddType" statement for php is normally system-wide, which means
the web server will execute php scripts that may be found in the
upload directory.  This can be fixed multiple ways:


They will just place an .htaccess and do addtype themselves.
"php_admin_flag engine off" will probably render most of the issues you
mentioned useless in one shot.


I had never heard of that flag before.  Nice.

http://us.php.net/manual/es/ref.apache.php

I don't think I like seeing php and apache being so tightly coupled,  
but I suppose we need to live in the real world, eh?

tr

-------------------------------------------------
Email solutions, MS Exchange alternatives and extrication,
security services, systems integration.
Contact:    services () doctorunix com


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

FWD: PhotoPost vBGallery Important Security Bulletin ad () heapoverflow com (Jan 11)
- Re: FWD: PhotoPost vBGallery Important Security Bulletin trains (Jan 11)
  - Re: FWD: PhotoPost vBGallery Important Security Bulletin trains (Jan 11)
    - Re: FWD: PhotoPost vBGallery ImportantSecurity Bulletin php0t (Jan 11)
    - Re: FWD: PhotoPost vBGallery ImportantSecurity Bulletin trains (Jan 11)