mailing list archives
Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure
From: Reindl Harald <h.reindl () thelounge net>
Date: Tue, 13 Aug 2013 21:57:59 +0200
Am 13.08.2013 21:36, schrieb Stefan Kanthak:
*define what is secure* and make sure you define it by context
unlink('file_my_script_wrote'); is fine
No, its UNSAFE!
The standard use case of PHP is "preprocessor for HTTP demon".
There is ABSOLUTELY no need to allow the preprocessor to unlink a file.
come back to reality
the standard usecase of PHP is develop WEB-APPLICATIONS which are
typically deal with file-uploads and such things, you can whine
about it but *that is* the usecase of PHP
unlink($_GET['what_ever_input']): is a security hole
No, not necessarily. The user who can run
$ php -r "unlink($_GET['what_ever_input']);"
can also run
$ rm "$SOMEFILE"
if you would have a clue what are you speaking about you
would know what $_GET is - hint: it has nothing to do with a terminal
OTOH: the user who can instruct his web browser to fetch
<http://example.org/index.html> is not able to unlink $SOMEFILE by
wow - without you explaining the world that statically html pages
are safe we would go down - genius for that you do not need suEXEC,
perl, PHP or whatever at all
so do we now disable unlink();
Not WE, but the developer.
All functions which are not used in the typical operating
environment of the resp. program (see above) have to be turned
off by default. "file handling" is NONE of PHPs typical operations!
why do people which never wrote a serious web-application
not simply shut up in this thread?
Description: OpenPGP digital signature