Re: Attack using php+apache

To: debian-security@lists.debian.org
Subject: Re: Attack using php+apache
From: "Alex J. Avriette" <alex@posixnap.net>
Date: Sat, 15 Nov 2003 22:43:14 -0500
Message-id: <[🔎] 20031116034314.GL10972@posixnap.net>
In-reply-to: <[🔎] 20031116021134.GC686@nova.vor.em.ca>
References: <[🔎] Pine.LNX.4.58.0311152104110.7438@lia.ufc.br> <[🔎] 20031116021134.GC686@nova.vor.em.ca>

On Sat, Nov 15, 2003 at 08:11:34PM -0600, Tom Goulet (UID0) wrote:

> If you have register globals off *or* safe mode on, this particular
> exploit is useless.

> If you had register globals on and safe mode off then he could run
> arbitrary programs as your Apache user.  It's possible he could run a
> local root exploiting program, but that's not as likely.

It really irritates me that people continue to use this when the
php.ini file repeatedly warns (no, begs) you not to.

Users requiring this to be set should be LARTed, and asked to 
recode their application.

alex

--
alex@posixnap.net
Alex J. Avriette, Unix Systems Engineer
"It's computationally FEROCIOUS." - Steve Jobs, discussing 64-bit computing

Reply to:

Follow-Ups:
- Re: Attack using php+apache
  - From: Adam ENDRODI <borso@vekoll.saturnus.vein.hu>

References:
- Attack using php+apache
  - From: Carlos Eduardo Araujo Vieira <carllos@lia.ufc.br>
- Re: Attack using php+apache
  - From: "Tom Goulet (UID0)" <uid0@em.ca>

Prev by Date: Re: Attack using php+apache
Next by Date: Re: Attack using php+apache
Previous by thread: Re: Attack using php+apache
Next by thread: Re: Attack using php+apache
Index(es):
- Date
- Thread