On 3/27/06, Jeff Schroeder <[EMAIL PROTECTED]> wrote: > > Bryan: > The catalyst that began all this is some PHP apps installed on my > servers (by web hosting customers) are vulnerable... phpBB is a > particularly big offender. There are well-known exploits that allow a > file to be saved to /tmp and run via the Perl interpreter. Rather than > tell my customers to take a hike, I wanted to find a way to prevent the > exploit (which is better security policy anyway).
Had the same problem with those pesky script kiddies. run php in safe mode / without url fopen wrappers (which is the actual issue), and with open_basedir in effect. Make the basedir the user home dir and other php include dirs. Apache will write to /tmp by itself for sessions etc becaues it doesn't live by the rules of PHP. It will cost you in a bit more admin work but save your neck from being chopped at your provider. Hackville Pop 2 -- -- -- Matthew Frederico http://www.ultrize.com http://www.suspendedstudios.com ---------------------------------- Cell: (518)365-9841 Office: (361)288-3331 /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
