lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <40BCB951.2040906@libero.it>
Date: Tue, 01 Jun 2004 19:13:53 +0200
From: Luca Falavigna <fala83@...ero.it>
To: Alexander GQ Gerasiov <bugtaq@...pp.ru>
Cc: Bugtraq <bugtraq@...urityfocus.com>
Subject: Re: Possible bug in PHPNuke and other CMS


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Alexander GQ Gerasiov ha scritto:
|
| I'm sure that such problems must be fixed not with some hacks like
| yours (checking domain name), but with webserver configuration (uid
| and permissions, php abilities (like safe mode or open_base_dir
| option) etc.)
|

File permissions must always permit execution of php pages by web
servers. And symlink is followed and code executed because web servers
must have access to that directory and code. We can operate with php
security options too and obtain the same result but what if we cannot
modify them? We are uncovered!!!

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEVAwUBQLy5UPTtdJayrm9xAQJYsggAjH3AAqT6olYdcnK6Oon91TtPDk96ajSC
JCJbqcdjRgGeOWq7YczYvysr7ff/splZZ6f1wMWbJwcmFntE/gWdRmU2+Y0/4sHv
P4w9Cymmdhhc8E91KqYUfJNYFqWhGfdjaCsZ6p+8tj/+hm/ZPWFuU+2mI+8T4S6i
lEEveVl3DiUfG4oxImOyn/6vAgmUcnMkL/qm+TpSqItPd22Q3rP7gagXbJBn8U34
lKjQHy8KhJeEh8NZ4bQ6BR7My3iHFigOcA3sbN+vDnsptz+TIIhKfF2R1vvEOjcd
2YICuxiio7hHN/VkmJP++OazuWIUr5lDQuJIOwszfI0ozwalRQ9X/Q==
=41ma
-----END PGP SIGNATURE-----


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ