| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 01 Jun 2004 19:13:53 +0200 From: Luca Falavigna <fala83@...ero.it> To: Alexander GQ Gerasiov <bugtaq@...pp.ru> Cc: Bugtraq <bugtraq@...urityfocus.com> Subject: Re: Possible bug in PHPNuke and other CMS -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alexander GQ Gerasiov ha scritto: | | I'm sure that such problems must be fixed not with some hacks like | yours (checking domain name), but with webserver configuration (uid | and permissions, php abilities (like safe mode or open_base_dir | option) etc.) | File permissions must always permit execution of php pages by web servers. And symlink is followed and code executed because web servers must have access to that directory and code. We can operate with php security options too and obtain the same result but what if we cannot modify them? We are uncovered!!! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEVAwUBQLy5UPTtdJayrm9xAQJYsggAjH3AAqT6olYdcnK6Oon91TtPDk96ajSC JCJbqcdjRgGeOWq7YczYvysr7ff/splZZ6f1wMWbJwcmFntE/gWdRmU2+Y0/4sHv P4w9Cymmdhhc8E91KqYUfJNYFqWhGfdjaCsZ6p+8tj/+hm/ZPWFuU+2mI+8T4S6i lEEveVl3DiUfG4oxImOyn/6vAgmUcnMkL/qm+TpSqItPd22Q3rP7gagXbJBn8U34 lKjQHy8KhJeEh8NZ4bQ6BR7My3iHFigOcA3sbN+vDnsptz+TIIhKfF2R1vvEOjcd 2YICuxiio7hHN/VkmJP++OazuWIUr5lDQuJIOwszfI0ozwalRQ9X/Q== =41ma -----END PGP SIGNATURE-----
Powered by blists - more mailing lists