lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 4 Jun 2004 14:25:07 +0200 From: BlueRaven <blue@...enconsulting.it> To: Bugtraq <bugtraq@...urityfocus.com> Subject: Re: Possible bug in PHPNuke and other CMS Il giorno 01/giu/04, alle 19:13, Luca Falavigna ha scritto: > File permissions must always permit execution of php pages by web > servers. And symlink is followed and code executed because web servers > must have access to that directory and code. We can operate with php > security options too and obtain the same result but what if we cannot > modify them? We are uncovered!!! Agreed, but I think that, in this case, the real problem would be an insecure configuration of the underlying webserver: any security-aware administrator should configure it to NOT follow symlinks or, at last, follow them if and only if the destination file belongs to the same user (SymLinksIfOwnerMatch directive in Apache). -- BlueRaven Did you know that, if you play a Windows 2000 CD backwards, you will hear the voice of Satan? That's nothing! If you play it forward, it will install Windows 2000!!!
Powered by blists - more mailing lists