On Mon, Jul 02, 2001 at 03:12:43PM -0700, Joe Harris wrote:

> On Sat, 30 Jun 2001, Joost Pol wrote:
>
> If an intruder can upload PHP code, what's to stop them from uploading an
> even meaner bit-o-code? In some other language?
>
> There is something fundamentally flawed in the logic of claiming safe_mode
> as "broken" if the means to abuse that flaw is predicated upon an intruder
> already having write access to the file system... a situation I think most
> would agree as being catastrophic to the integrity of the host, "safe_mode"
> or no "safe_mode".

Well, two changes do occur.

1. User could obtain the uid of the webserver. (nobody access)

   In a decent configured hosting machine, the impact would be minor.

   And *all* hosting machines are configured decently, right? (:

2. An ISP only giving out ftp access for users to upload new webpages
   could find themselves confronted with users with shell access.

> Is it a bug? Sure. Is it worthy of a Bugtraq posting? Barely.

Hmm, at least i should have cut it a bit. True.

The one Good Thing that came out of the bugtraq posting was that the PHP
team actually picked the issue up from the list and are fixing it.

Before that i mailed them and posted it on the php bug list, little response.

[heavy cutting]

Kind Regards,

Joost Pol

-- 
Joost Pol alias 'Nohican' <joostcontempt.nl> PGP 584619BD
PGP fingerprint B1FA EE66 CFAA A492 D5F8 9A8A 0CDA 5846 19BD
Laboratoire Contempt - Tel +31-6-28887995 Fax: +31-70-3873625

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]