| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: s.esser at e-matters.de (Stefan Esser) Subject: Fun with mod_php/Apache 1.3, yet Apache much better than II$ On Wed, Nov 06, 2002 at 08:15:48PM +0200, Georgi Guninski wrote: > I. Apache and php were notified on Tue, 15 Oct 2002 18:16:40 +0300 > The Apache guys seem to prepare a fix. The php guys replied this is known > for ages but did not provide reference for the claims. It is known for ages because it is a UNIX design decision to inherit file descriptors on exec. Thats why most derivates support a CLOSE ON EXEC flag. I told you several times that I used the fd leakage in my e-matters PHP exploits to clean the apache log files for demonstration. This code belongs to e-matters and cannot made public... Now you can say: okay logfiles, but sockets are different... However I also told you guys to look into php4/main/main.c there is a comment somewhere in the code (within ...shutdown_for_exec()) that says (since 4.0.0) that we cannot close the fds at that place because it caused troubles (with 3rd party libs etc...) Taking care of the open fds would mean mod_php had to do unecessary extra forks() in front of all 3rd party library calls that could maybe execute external programs. And in front of all popens()... However I told you also that you should disable all exec functions in hosted environments via php.ini because there can always be kernel bugs or suid bugs on the box that could be exploited. Anyway, nice work Mr. Guninski. Stefan Esser
Powered by blists - more mailing lists