Re: phpBB vulnerability exploited

To: debian-isp@lists.debian.org
Subject: Re: phpBB vulnerability exploited
From: "Francesco P. Lovergine" <frankie@debian.org>
Date: Mon, 13 Dec 2004 14:57:41 +0100
Message-id: <[🔎] 20041213135741.GA21866@ba.issia.cnr.it>
In-reply-to: <[🔎] 20041213114441.24747.qmail@pechkin.minfin.bg>
References: <[🔎] 362368499.20041212234642@onee.sk> <[🔎] 200412122217.20006.fraser@georgetown.wehave.net> <[🔎] 20041213114441.24747.qmail@pechkin.minfin.bg>

On Mon, Dec 13, 2004 at 01:44:41PM +0200, Boris Pavlov wrote:
> 
> limit with php opendir. make another tmp directory, and set php temp dir, 
> with all permissions you want. limit the system function, if you don't need 
> it. they are a per-vhost apache settings, check the manuals. 
> 

I run apache using dchroot to avoid the most common problems.
Breaking a chroot is possible, but not so easy and it's more 
difficult within dchroot which _should_ drops privileges properly AFAIK.
I do that commonly for hosting services where users can run their own
php and cgi scripts. That cannot avoid creating shells services, surely
but avoid password cracking, use of cron, access to kernel modules
and log files, and so on.

-- 
Francesco P. Lovergine

Reply to:

References:
- phpBB vulnerability exploited
  - From: Marek Podmaka <marki@onee.sk>
- Re: phpBB vulnerability exploited
  - From: Fraser Campbell <fraser@georgetown.wehave.net>
- Re: phpBB vulnerability exploited
  - From: "Boris Pavlov" <edi@elib.minfin.bg>

Prev by Date: Re: phpBB vulnerability exploited
Next by Date: bandwidth accounting
Previous by thread: Re: phpBB vulnerability exploited
Next by thread: postgrey 1.17rc2 Debian packages
Index(es):
- Date
- Thread