Bugtraq mailing list archives

Re: [BUGTRAQ] php breaks safe mode

From: Steffen Dettmer <steffen () dett de>
Date: Fri, 6 Jul 2001 10:14:54 +0200

* H D Moore wrote on Thu, Jul 05, 2001 at 14:31 -0500:

On Thursday 05 July 2001 05:11 am, Raptor wrote:

What do you exactly intend with "minor impact"?

I wonder if VirtualHost based user/group directives would keep
this from happening,


No, this will not have any effects on the server childs, but on
the executed CGI sub-processes. Since its not possible (well, not
without giving up any performance) to setuid at each request
(necessary, since all childs are able to handle any request).
Since PHP runs in the same process, it runs with the same
permissions like all the other childs.

does anyone on the list know of a way to protect against this?


drop mod_php, use php via CGI with a slightly modified suexec or
add those "shebang" line to your PHP scripts. But this is a
performance issue, since having security is slower here :)

oki,

Steffen

-- 
Dieses Schreiben wurde maschinell erstellt,
es trägt daher weder Unterschrift noch Siegel.

Current thread:

php breaks safe mode Joost Pol (Jul 01)
- Re: php breaks safe mode Laurent Papier (Jul 02)
  - Re: php breaks safe mode Joost Pol (Jul 02)
    - Re: php breaks safe mode Laurent Papier (Jul 03)
    - Re: php breaks safe mode Patrick Oonk (Jul 03)
- Re: [BUGTRAQ] php breaks safe mode Joe Harris (Jul 03)
  - Re: [BUGTRAQ] php breaks safe mode Joost Pol (Jul 03)
    - Re: [BUGTRAQ] php breaks safe mode Raptor (Jul 05)
    - Re: [BUGTRAQ] php breaks safe mode H D Moore (Jul 05)
    - Re: [BUGTRAQ] php breaks safe mode Steffen Dettmer (Jul 06)
    - Re: [BUGTRAQ] php breaks safe mode Steffen Dettmer (Jul 05)
    - Re: [BUGTRAQ] php breaks safe mode Sander Steffann (Jul 06)