Bryan: > Does apache spawn new perl processes? I thought that > mod_perl was part of the apache process. How could someone exec a > new perl command on your machine via mod_perl? Doesn't mod_perl > prevent (or at least provide a way to secure) exec and eval calls?
Honestly, I don't mess with mod_perl much. I'm a PHP programmer ( /me dons asbestos shirt) so I don't know the internals of how mod_perl does the magic. I'll have to read up on it before implementing something like this. The catalyst that began all this is some PHP apps installed on my servers (by web hosting customers) are vulnerable... phpBB is a particularly big offender. There are well-known exploits that allow a file to be saved to /tmp and run via the Perl interpreter. Rather than tell my customers to take a hike, I wanted to find a way to prevent the exploit (which is better security policy anyway). Jeff
pgpzucIvA1ts2.pgp
Description: PGP signature
/* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
