lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
From: guninski at guninski.com (Georgi Guninski)
Subject: Fun with mod_php/Apache 1.3, yet Apache much
 better than II$

Stefan Esser wrote:
> On Wed, Nov 06, 2002 at 08:15:48PM +0200, Georgi Guninski wrote:
> 
> 
>>I. Apache and php were notified on Tue, 15 Oct 2002 18:16:40 +0300
>>The Apache guys seem to prepare a fix. The php guys replied this is known
>>for ages but did not provide reference for the claims.
> 
> 
> It is known for ages because it is a UNIX design decision to inherit
> file descriptors on exec. Thats why most derivates support a CLOSE ON
> EXEC flag. I told you several times that I used the fd leakage in my
> e-matters PHP exploits to clean the apache log files for demonstration.
> This code belongs to e-matters and cannot made public...

I got only one message which said that closing on exec can cause problems.
And I did not got any reply to the question:
"So please someone officially reply - "FIX - when" or "NOT FIX"
from Date: Mon, 21 Oct 2002 16:36:53 +0300

Georgi

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ