Re: php & passthru & system

[Jedi/Sector One <j () pureftpd org>]

On Tue, Apr 23, 2002 at 11:15:22AM +0300, Evrim ULU wrote:
> i was wondering if there is a way to disable the passthru and system 
> functions in php easily.

At compile time, the --disable-posix ./configure switch may help.
Also please review your php.ini file for a line starting with :

disable_functions =

You can disable individual functions with that directive.

> There are a lot of webhosting firms serving php with ftp accounts and 
> i've seen that if their firewall is not configured properly i can open a 
> xterm with my user priviledges.

There are tons of other flaws when these servers are behind a poorly
configured firewalls that filters some ports _in_, but pass everything
through _out_ . No need to use X11 clients to get a shell. Just install
anything that will connect to your machine and redirect stdin/stdout to the
socket. You will even pass through any NAT box with that.

> Is there an easy way to disable these function before compilation&after 
> compliation and any firewall rules like -A OUTPUT -p tcp 
> --destination-port 6000 -j DROP?

Drop _everything_ out, and use a modern stateful firewall that will only 
open ports on demand.


-- 
 __  /*-      Frank DENIS (Jedi/Sector One) <j () 42-Networks Com>     -*\  __
 \ '/    <a href="http://www.PureFTPd.Org/";> Secure FTP Server </a>    \' /
  \/  <a href="http://www.Jedi.Claranet.Fr/";> Misc. free software </a>  \/