Re: Possible bug in PHPNuke and other CMS
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Alexander GQ Gerasiov ha scritto:
|
| I'm sure that such problems must be fixed not with some hacks like
| yours (checking domain name), but with webserver configuration (uid
| and permissions, php abilities (like safe mode or open_base_dir
| option) etc.)
|
File permissions must always permit execution of php pages by web
servers. And symlink is followed and code executed because web servers
must have access to that directory and code. We can operate with php
security options too and obtain the same result but what if we cannot
modify them? We are uncovered!!!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQEVAwUBQLy5UPTtdJayrm9xAQJYsggAjH3AAqT6olYdcnK6Oon91TtPDk96ajSC
JCJbqcdjRgGeOWq7YczYvysr7ff/splZZ6f1wMWbJwcmFntE/gWdRmU2+Y0/4sHv
P4w9Cymmdhhc8E91KqYUfJNYFqWhGfdjaCsZ6p+8tj/+hm/ZPWFuU+2mI+8T4S6i
lEEveVl3DiUfG4oxImOyn/6vAgmUcnMkL/qm+TpSqItPd22Q3rP7gagXbJBn8U34
lKjQHy8KhJeEh8NZ4bQ6BR7My3iHFigOcA3sbN+vDnsptz+TIIhKfF2R1vvEOjcd
2YICuxiio7hHN/VkmJP++OazuWIUr5lDQuJIOwszfI0ozwalRQ9X/Q==
=41ma
-----END PGP SIGNATURE-----