lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <520A8FC7.1030609@thelounge.net>
Date: Tue, 13 Aug 2013 21:57:59 +0200
From: Reindl Harald <h.reindl@...lounge.net>
To: Stefan Kanthak <stefan.kanthak@...go.de>
CC: bugtraq@...urityfocus.com
Subject: Re: [Full-disclosure] Apache suEXEC privilege elevation / information
 disclosure



Am 13.08.2013 21:36, schrieb Stefan Kanthak:
>> *define what is secure* and make sure you define it by context
>>
>> unlink('file_my_script_wrote'); is fine
> 
> No, its UNSAFE!
> The standard use case of PHP is "preprocessor for HTTP demon".
> There is ABSOLUTELY no need to allow the preprocessor to unlink a file.

come back to reality

the standard usecase of PHP is develop WEB-APPLICATIONS which are
typically deal with file-uploads and such things, you can whine
about it but *that is* the usecase of PHP

>> unlink($_GET['what_ever_input']): is a security hole
> 
> No, not necessarily. The user who can run
> 
> $ php -r "unlink($_GET['what_ever_input']);"
> 
> can also run
> 
> $ rm "$SOMEFILE"

if you would have a clue what are you speaking about you
would know what $_GET is - hint: it has nothing to do with a terminal

> OTOH: the user who can instruct his web browser to fetch
> <http://example.org/index.html> is not able to unlink $SOMEFILE by
> calling "rm".

wow - without you explaining the world that statically html pages
are safe we would go down - genius for that you do not need suEXEC,
perl, PHP or whatever at all

>> so do we now disable unlink();
> 
> Not WE, but the developer.
> All functions which are not used in the typical operating
> environment of the resp. program (see above) have to be turned
> off by default. "file handling" is NONE of PHPs typical operations!

why do people which never wrote a serious web-application
not simply shut up in this thread?


Download attachment "signature.asc" of type "application/pgp-signature" (264 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ