Re: (php?) bug exploit report
At 10:00 on Tue, 20 Jan 2004, Oliver Hitz wrote:
> On 19 Jan 2004, Csan wrote:
> > The URL is part of a postnuke site and they could start up the telnetd
> > binary with invoking an URL similar to the above URL! Is this a known
> > sechole?
> I think you should be able to avoid such exploits by using PHP's safe
> mode. It allow you, among other things, to specify that only files in
> a particular directory may be executed. This way, even if someone
> succeeds uploading an exploit onto your server, he won't be able to run
Safe mode would certainly have reduced the impact from that script, and
I'd definitely recommend turning it on unless you're very confident of
the quality of all your scripts.
However, some of the things in the exploit script were designed to let an
attacker look at safe mode systems and possibly find another
vulnerability. Certainly they'd have been able to get at any database/etc
passwords used by the exploited website, possibly, depending on file
system permissions, at most files belonging to the same user, even with
safe mode on. This might then have let them find another way of
"Those who do not remember the past are condemned to repeat it."
"Those who *do* remember the past don't get much choice either."