mailing list archives
Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure
From: "Stefan Kanthak" <stefan.kanthak () nexgo de>
Date: Tue, 13 Aug 2013 21:36:32 +0200
"Reindl Harald" <h.reindl () thelounge net> wrote:
Am 12.08.2013 23:32, schrieb coderaptor:
Why can't enable_functions be pre-populated with known good functions, and everything else disabled? Again,
sacrificing security convenience is the norm.
if you would only have the slightest clue what you are speaking about
you would not ask that naive
[harry () srv-rhsoft:~]$ php -r "print_r(get_defined_functions());" | wc -l
oh, and they depend on the loaded extensions (inlcuding 3rd party extensions)
oh, and they *all* would have to be classified if, how and in which context
they all may or may not have a secuirity impact
That's one of the duties/tasks of their developer(s): WTFM!
ALL software MUST come with SECURE DEFAULTS. PERIOD. Anyone who thinks otherwise should fly in an aircraft running
his own designed software. Knowledgeable Admins are not an alternative to secure defaults, rather I'd prefer both.
*define what is secure* and make sure you define it by context
unlink('file_my_script_wrote'); is fine
No, its UNSAFE!
The standard use case of PHP is "preprocessor for HTTP demon".
There is ABSOLUTELY no need to allow the preprocessor to unlink a file.
unlink($_GET['what_ever_input']): is a security hole
No, not necessarily. The user who can run
$ php -r "unlink($_GET['what_ever_input']);"
can also run
$ rm "$SOMEFILE"
OTOH: the user who can instruct his web browser to fetch
<http://example.org/index.html> is not able to unlink $SOMEFILE by
so do we now disable unlink();
Not WE, but the developer.
All functions which are not used in the typical operating
environment of the resp. program (see above) have to be turned
off by default. "file handling" is NONE of PHPs typical operations!