Re: (php?) bug exploit report

To: debian-security@lists.debian.org, Csan <csani@lme.linux.hu>
Subject: Re: (php?) bug exploit report
From: Thomas Sjögren <thomas@northernsecurity.net>
Date: Tue, 20 Jan 2004 14:20:28 +0100
Message-id: <[🔎] 20040120132028.GB12630@northernsecurity.net>
Reply-to: thomas@northernsecurity.net
In-reply-to: <[🔎] 20040120090004.GB3007@net-track.ch>
References: <[🔎] 1074519612.400bde3c5cfb5@mail.dominet.hu> <[🔎] 20040120090004.GB3007@net-track.ch>

On Tue, Jan 20, 2004 at 10:00:04AM +0100, Oliver Hitz wrote:
> I think you should be able to avoid such exploits by using PHP's safe
> mode. It allow you, among other things, to specify that only files in
> a particular directory may be executed. This way, even if someone
> succeeds uploading an exploit onto your server, he won't be able to run
> it.

Recommend that you also take a look at mod_security
(http://www.modsecurity.org/) for apache.

/Thomas
-- 
== thomas@northernsecurity.net | thomas@se.linux.org
== Encrypted e-mails preferred | GPG KeyID: 114AA85C
--

Attachment: signature.asc
Description: Digital signature

Reply to:

References:
- (php?) bug exploit report
  - From: Csan <csani@lme.linux.hu>
- Re: (php?) bug exploit report
  - From: Oliver Hitz <oliver@net-track.ch>

Prev by Date: Re: Release.gpg files gone?
Next by Date: 2.6.1 CryptoAPI woes
Previous by thread: Re: (php?) bug exploit report
Next by thread: 2.6.1 CryptoAPI woes
Index(es):
- Date
- Thread