lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20021106191912.GA29758@php.net>
From: s.esser at e-matters.de (Stefan Esser)
Subject: Fun with mod_php/Apache 1.3, yet Apache much better than II$

On Wed, Nov 06, 2002 at 08:15:48PM +0200, Georgi Guninski wrote:

> I. Apache and php were notified on Tue, 15 Oct 2002 18:16:40 +0300
> The Apache guys seem to prepare a fix. The php guys replied this is known
> for ages but did not provide reference for the claims.

It is known for ages because it is a UNIX design decision to inherit
file descriptors on exec. Thats why most derivates support a CLOSE ON
EXEC flag. I told you several times that I used the fd leakage in my
e-matters PHP exploits to clean the apache log files for demonstration.
This code belongs to e-matters and cannot made public...
Now you can say: okay logfiles, but sockets are different... 
However I also told you guys to look into php4/main/main.c there is
a comment somewhere in the code (within ...shutdown_for_exec()) that
says (since 4.0.0) that we cannot close the fds at that place because
it caused troubles (with 3rd party libs etc...) Taking care of the
open fds would mean mod_php had to do unecessary extra forks() in
front of all 3rd party library calls that could maybe execute external
programs. And in front of all popens()...

However I told you also that you should disable all exec functions
in hosted environments via php.ini because there can always be kernel
bugs or suid bugs on the box that could be exploited.

Anyway, nice work Mr. Guninski.

Stefan Esser



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ