Home page logo

bugtraq logo Bugtraq mailing list archives

Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure
From: Reindl Harald <h.reindl () thelounge net>
Date: Tue, 13 Aug 2013 21:57:59 +0200

Am 13.08.2013 21:36, schrieb Stefan Kanthak:
*define what is secure* and make sure you define it by context

unlink('file_my_script_wrote'); is fine

No, its UNSAFE!
The standard use case of PHP is "preprocessor for HTTP demon".
There is ABSOLUTELY no need to allow the preprocessor to unlink a file.

come back to reality

the standard usecase of PHP is develop WEB-APPLICATIONS which are
typically deal with file-uploads and such things, you can whine
about it but *that is* the usecase of PHP

unlink($_GET['what_ever_input']): is a security hole

No, not necessarily. The user who can run

$ php -r "unlink($_GET['what_ever_input']);"

can also run

$ rm "$SOMEFILE"

if you would have a clue what are you speaking about you
would know what $_GET is - hint: it has nothing to do with a terminal

OTOH: the user who can instruct his web browser to fetch
<http://example.org/index.html> is not able to unlink $SOMEFILE by
calling "rm".

wow - without you explaining the world that statically html pages
are safe we would go down - genius for that you do not need suEXEC,
perl, PHP or whatever at all

so do we now disable unlink();

Not WE, but the developer.
All functions which are not used in the typical operating
environment of the resp. program (see above) have to be turned
off by default. "file handling" is NONE of PHPs typical operations!

why do people which never wrote a serious web-application
not simply shut up in this thread?

Attachment: signature.asc
Description: OpenPGP digital signature

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]