[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Attack using php+apache

On Sat, Nov 15, 2003 at 08:11:34PM -0600, Tom Goulet (UID0) wrote:

> If you have register globals off *or* safe mode on, this particular
> exploit is useless.

> If you had register globals on and safe mode off then he could run
> arbitrary programs as your Apache user.  It's possible he could run a
> local root exploiting program, but that's not as likely.

It really irritates me that people continue to use this when the
php.ini file repeatedly warns (no, begs) you not to.

Users requiring this to be set should be LARTed, and asked to 
recode their application.


Alex J. Avriette, Unix Systems Engineer
"It's computationally FEROCIOUS." - Steve Jobs, discussing 64-bit computing

Reply to: