Re: Possible bug in PHPNuke and other CMS
Il giorno 01/giu/04, alle 19:13, Luca Falavigna ha scritto:
File permissions must always permit execution of php pages by web
servers. And symlink is followed and code executed because web servers
must have access to that directory and code. We can operate with php
security options too and obtain the same result but what if we cannot
modify them? We are uncovered!!!
Agreed, but I think that, in this case, the real problem would be an
insecure configuration of the underlying webserver: any security-aware
administrator should configure it to NOT follow symlinks or, at last,
follow them if and only if the destination file belongs to the same
user (SymLinksIfOwnerMatch directive in Apache).
--
BlueRaven
Did you know that, if you play a Windows 2000 CD backwards,
you will hear the voice of Satan? That's nothing!
If you play it forward, it will install Windows 2000!!!