store | blogs | forums | twitter | facebook | wiki | mailing lists | downloads | support portal
Atomic Secure Linux
It is currently Thu May 23, 2013 4:49 am

View unanswered posts | View active topics


Board index » Atomicorp Yum Repository Forums » PHP Help and Discussion

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]



Post new topic Reply to topic Share/Bookmark  Page 1 of 1
  [ 4 posts ] 
  Print view Previous topic | First unread post | Next topic 
Author Message
faris
 Post subject: disable symlink in php
Unread postPosted: Wed May 01, 2013 6:00 pm 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 1846
I've been made aware of an old vulnerability in php that makes use of php's symlink command. This appears to still be affective though I've not personally tested it.

I therefore thought it would be sensible to disable it.

I can't think of any script that would need to use it, but you never know.

Have any of you disabled it? Any problems?

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>

Top
 Profile  
 
prupert
 Post subject: Re: disable symlink in php
Unread postPosted: Wed May 01, 2013 6:09 pm 
Offline
Forum Regular
Forum Regular

Joined: Tue Aug 01, 2006 2:45 pm
Posts: 224
Location: Netherlands
To my knowledge several vulnerabilities regarding bypassing open_basedir with symlink() have already been fixed a long time ago. If you are using the 5.1 packages from CentOS 5, or the 5.3.x packages from CentOS 6 or ART you should be safe. Although, I am not sure which vulnerability you are talking about specifically. If you have a CVE number, you should be able to look it up of course. If not, could you post more details?

_________________
Lemonbit Internet Dedicated Server Management

Top
 Profile  
 
faris
 Post subject: Re: disable symlink in php
Unread postPosted: Thu May 02, 2013 10:58 am 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 1846
It is an old one that I would have expected to be fixed. But a poster elsewhere insists it works on 5.3.3

http://cxsecurity.com/issue/WLB-2005090062

My reading of this is that it was fixed LONG ago. But poster says he's tried it on 5.3.3 (Centos default, I think?)and it works.

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>

Top
 Profile  
 
prupert
 Post subject: Re: disable symlink in php
Unread postPosted: Thu May 02, 2013 11:10 am 
Offline
Forum Regular
Forum Regular

Joined: Tue Aug 01, 2006 2:45 pm
Posts: 224
Location: Netherlands
I have just checked. The exploit does not work on the latest 5.3 from CentOS, nor on the latest 5.3 from ART. Additionally, the WAF rules from ASL will also protect against this exploit.

_________________
Lemonbit Internet Dedicated Server Management

Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic Share/Bookmark  Page 1 of 1
  [ 4 posts ] 

Board index » Atomicorp Yum Repository Forums » PHP Help and Discussion

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]

Who is online

Users browsing this forum: No registered users and 1 guest

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group