| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: npguy at websurfer.com.np (npguy) Subject: flaw in php_exec_dir patch hi venom, which patch are u talking .. well did u ever try http://www.google.com/search?q=php_exec_dir+site:www.php.net&l=en there are quite a few entry which tells nothing except similar to ur post well give a try in php-internals archive. u just get nothing. actually which patch are u talking about. it was never issued officially and was not around in the communities. you are talking about some unkown directives that was never intend to be used. people often make a use of apache directives to allow non-safe mode to their trusted scripts, that is what i see a good solution for the time being. anyway if its a cool patch i am interested! give me some references. > heres a hint, learn about the product b4 you spam a mailing list, i see 5 > posts from you asking the exact same question 2 hrs apart from each other well i never posted and saw it in the list u might be wrong. actually there were some postings about this patches existence. did u check that. On Saturday 26 June 2004 07:19 am, VeNoMouS wrote: > Dude do you even know what php_exec_dir patch is, its a patch so you dont > have to turn safe mode on, which disables a bunch of shit that you need, so > the patch was a work around simply stop you executing programs. > > heres a hint, learn about the product b4 you spam a mailing list, i see 5 > posts from you asking the exact same question 2 hrs apart from each other > you think you could've googled in that time or perhaps fixed your mail > queue? > > either or, stop being so fucking lazy. > > > ----- Original Message ----- > From: "npguy" <npguy@...surfer.com.np> > To: "VeNoMouS" <venom@...-x.co.nz>; <full-disclosure@...ts.netsys.com> > Sent: Friday, June 25, 2004 2:47 AM > Subject: Re: [Full-Disclosure] flaw in php_exec_dir patch > > > is your safe mode on? .. whats ur platorm. > > give more details! > > > > On Wednesday 23 June 2004 07:05 am, VeNoMouS wrote: > >> Found a issue last night while testing php_exec_dir patch > >> > >> if you do the following > >> > >> $blah=`ps aux`; > >> echo nl2br($blah); > >> > >> php_exec_dir will block the call if you have set the exec_dir parm in > >> php or apache > >> > >> anyway.... if you do this > >> > >> $blah=`;ps aux`; > >> echo nl2br($blah); > >> > >> it bypasses the exec block and excutes the ps due to the ';', as bash > >> interrupts ';' as a new cmd, ive emailed the author but no response. > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.netsys.com/full-disclosure-charter.html > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists