Stefan Esser wrote:
On Wed, Nov 06, 2002 at 08:15:48PM +0200, Georgi Guninski wrote:
I. Apache and php were notified on Tue, 15 Oct 2002 18:16:40 +0300
The Apache guys seem to prepare a fix. The php guys replied this is known
for ages but did not provide reference for the claims.
It is known for ages because it is a UNIX design decision to inherit
file descriptors on exec. Thats why most derivates support a CLOSE ON
EXEC flag. I told you several times that I used the fd leakage in my
e-matters PHP exploits to clean the apache log files for demonstration.
This code belongs to e-matters and cannot made public...
I got only one message which said that closing on exec can cause problems.
And I did not got any reply to the question:
"So please someone officially reply - "FIX - when" or "NOT FIX"
from Date: Mon, 21 Oct 2002 16:36:53 +0300
Georgi
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
