Re: Kernel Crash Bug????
Would it be possible to run that program trough e.g. perl/php/... ? A use could ftp the executable and write a php script that execute it. Thanks in advance, Rudy -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Kernel Crash Bug????
On Tue, 15 Jun 2004 17:24, Rudy Gevaert [EMAIL PROTECTED] wrote: Would it be possible to run that program trough e.g. perl/php/... ? A use could ftp the executable and write a php script that execute it. Does PHP allow executing arbitary binaries? If the user can install CGI-BIN scripts then that's a good way of running a kernel security attack (or other local or back-end network attack). -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Kernel Crash Bug????
Ignore my message. I didn't read the url give aboven carefully enough. It mentions what I asked. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Kernel Crash Bug????
On Tue, Jun 15, 2004 at 05:52:18PM +1000, Russell Coker wrote: On Tue, 15 Jun 2004 17:24, Rudy Gevaert [EMAIL PROTECTED] wrote: Would it be possible to run that program trough e.g. perl/php/... ? A use could ftp the executable and write a php script that execute it. Does PHP allow executing arbitary binaries? [snip] Yes, unless in your php.ini you have something along the lines of: disable_functions = system,passthru,shell_exec,popen,proc_open Regards, David. -- .''`. David Ramsden [EMAIL PROTECTED] : :' :http://david.hexstream.eu.org/ `. `'` PGP key ID: 507B379B on wwwkeys.pgp.net `- Debian - when you have better things to do than to fix a system. pgptxOZFGlsNP.pgp Description: PGP signature
securing PHP (was: Kernel Crash Bug????)
On Tue, Jun 15, 2004 at 09:23:33AM +0100, David Ramsden wrote: On Tue, Jun 15, 2004 at 05:52:18PM +1000, Russell Coker wrote: Does PHP allow executing arbitary binaries? [snip] Yes, unless in your php.ini you have something along the lines of: disable_functions = system,passthru,shell_exec,popen,proc_open Can somebody point me to some documentation about securing PHP? -- Rudy Gevaert[EMAIL PROTECTED] Web pagehttp://www.webworm.org Schamper sysadmin http://www.schamper.ugent.be GNU/Linux user and Savannah hacker http://savannah.gnu.org On-line, adj.: The idea that a human being should always be accessible to a computer. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: securing PHP (was: Kernel Crash Bug????)
On Tue, Jun 15, 2004 at 10:35:33AM +0200, Rudy Gevaert wrote: On Tue, Jun 15, 2004 at 09:23:33AM +0100, David Ramsden wrote: On Tue, Jun 15, 2004 at 05:52:18PM +1000, Russell Coker wrote: Does PHP allow executing arbitary binaries? [snip] Yes, unless in your php.ini you have something along the lines of: disable_functions = system,passthru,shell_exec,popen,proc_open Can somebody point me to some documentation about securing PHP? http://php.net/security, a better solution to the above mentioned problem is 'safe_mode', which is intended to block all dangerous file access, executing, etc. --Jeroen -- Jeroen van Wolffelaar [EMAIL PROTECTED] (also for Jabber MSN; ICQ: 33944357) http://Jeroen.A-Eskwadraat.nl -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: securing PHP (was: Kernel Crash Bug????)
On Tue, Jun 15, 2004 at 11:20:35AM +0200, Jeroen van Wolffelaar wrote: On Tue, Jun 15, 2004 at 10:35:33AM +0200, Rudy Gevaert wrote: On Tue, Jun 15, 2004 at 09:23:33AM +0100, David Ramsden wrote: On Tue, Jun 15, 2004 at 05:52:18PM +1000, Russell Coker wrote: Does PHP allow executing arbitary binaries? [snip] Yes, unless in your php.ini you have something along the lines of: disable_functions = system,passthru,shell_exec,popen,proc_open Can somebody point me to some documentation about securing PHP? http://php.net/security, a better solution to the above mentioned problem is 'safe_mode', which is intended to block all dangerous file access, executing, etc. See also: http://www.pookey.co.uk/php-security.xml http://www.pookey.co.uk/php-suphp.xml Regards, David. -- .''`. David Ramsden [EMAIL PROTECTED] : :' :http://david.hexstream.eu.org/ `. `'` PGP key ID: 507B379B on wwwkeys.pgp.net `- Debian - when you have better things to do than to fix a system. pgpNO1LkvUfna.pgp Description: PGP signature
Re: securing PHP (was: Kernel Crash Bug????)
Hi, Tue, 15 Jun 2004 10:35:33 +0200, Rudy Gevaert securing PHP (was: Kernel Crash Bug) Can somebody point me to some documentation about securing PHP? Not documentation but patch for php, Hardened-PHP. http://www.hardened-php.net/ -- Regards, Hideki Yamanemailto:henrich @ iijmio-mail.jp -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Kernel Crash Bug????
Would it be possible to run that program trough e.g. perl/php/... ? A use could ftp the executable and write a php script that execute it. Thanks in advance, Rudy
Re: Kernel Crash Bug????
On Tue, 15 Jun 2004 17:24, Rudy Gevaert [EMAIL PROTECTED] wrote: Would it be possible to run that program trough e.g. perl/php/... ? A use could ftp the executable and write a php script that execute it. Does PHP allow executing arbitary binaries? If the user can install CGI-BIN scripts then that's a good way of running a kernel security attack (or other local or back-end network attack). -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
Re: Kernel Crash Bug????
Ignore my message. I didn't read the url give aboven carefully enough. It mentions what I asked.
Re: Kernel Crash Bug????
On Tue, Jun 15, 2004 at 05:52:18PM +1000, Russell Coker wrote: On Tue, 15 Jun 2004 17:24, Rudy Gevaert [EMAIL PROTECTED] wrote: Would it be possible to run that program trough e.g. perl/php/... ? A use could ftp the executable and write a php script that execute it. Does PHP allow executing arbitary binaries? [snip] Yes, unless in your php.ini you have something along the lines of: disable_functions = system,passthru,shell_exec,popen,proc_open Regards, David. -- .''`. David Ramsden [EMAIL PROTECTED] : :' :http://david.hexstream.eu.org/ `. `'` PGP key ID: 507B379B on wwwkeys.pgp.net `- Debian - when you have better things to do than to fix a system. pgpIAtiLt2TfI.pgp Description: PGP signature
securing PHP (was: Kernel Crash Bug????)
On Tue, Jun 15, 2004 at 09:23:33AM +0100, David Ramsden wrote: On Tue, Jun 15, 2004 at 05:52:18PM +1000, Russell Coker wrote: Does PHP allow executing arbitary binaries? [snip] Yes, unless in your php.ini you have something along the lines of: disable_functions = system,passthru,shell_exec,popen,proc_open Can somebody point me to some documentation about securing PHP? -- Rudy Gevaert[EMAIL PROTECTED] Web pagehttp://www.webworm.org Schamper sysadmin http://www.schamper.ugent.be GNU/Linux user and Savannah hacker http://savannah.gnu.org On-line, adj.: The idea that a human being should always be accessible to a computer.
Re: securing PHP (was: Kernel Crash Bug????)
On Tue, Jun 15, 2004 at 10:35:33AM +0200, Rudy Gevaert wrote: On Tue, Jun 15, 2004 at 09:23:33AM +0100, David Ramsden wrote: On Tue, Jun 15, 2004 at 05:52:18PM +1000, Russell Coker wrote: Does PHP allow executing arbitary binaries? [snip] Yes, unless in your php.ini you have something along the lines of: disable_functions = system,passthru,shell_exec,popen,proc_open Can somebody point me to some documentation about securing PHP? http://php.net/security, a better solution to the above mentioned problem is 'safe_mode', which is intended to block all dangerous file access, executing, etc. --Jeroen -- Jeroen van Wolffelaar [EMAIL PROTECTED] (also for Jabber MSN; ICQ: 33944357) http://Jeroen.A-Eskwadraat.nl
Re: securing PHP (was: Kernel Crash Bug????)
On Tue, Jun 15, 2004 at 11:20:35AM +0200, Jeroen van Wolffelaar wrote: On Tue, Jun 15, 2004 at 10:35:33AM +0200, Rudy Gevaert wrote: On Tue, Jun 15, 2004 at 09:23:33AM +0100, David Ramsden wrote: On Tue, Jun 15, 2004 at 05:52:18PM +1000, Russell Coker wrote: Does PHP allow executing arbitary binaries? [snip] Yes, unless in your php.ini you have something along the lines of: disable_functions = system,passthru,shell_exec,popen,proc_open Can somebody point me to some documentation about securing PHP? http://php.net/security, a better solution to the above mentioned problem is 'safe_mode', which is intended to block all dangerous file access, executing, etc. See also: http://www.pookey.co.uk/php-security.xml http://www.pookey.co.uk/php-suphp.xml Regards, David. -- .''`. David Ramsden [EMAIL PROTECTED] : :' :http://david.hexstream.eu.org/ `. `'` PGP key ID: 507B379B on wwwkeys.pgp.net `- Debian - when you have better things to do than to fix a system. pgpxc5T6Gr2YQ.pgp Description: PGP signature
Re: securing PHP (was: Kernel Crash Bug????)
Hi, Tue, 15 Jun 2004 10:35:33 +0200, Rudy Gevaert securing PHP (was: Kernel Crash Bug) Can somebody point me to some documentation about securing PHP? Not documentation but patch for php, Hardened-PHP. http://www.hardened-php.net/ -- Regards, Hideki Yamanemailto:henrich @ iijmio-mail.jp
Kernel Crash Bug????
Anyone have info on this one? http://linuxreviews.org/news/2004-06-11_kernel_crash/index.html Peace __ Do you Yahoo!? Friends. Fun. Try the all-new Yahoo! Messenger. http://messenger.yahoo.com/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Kernel Crash Bug????
it does crash 2.6.6-1-686 On Mon, Jun 14, 2004 at 09:57:54AM -0700, peace bwitchu wrote: Anyone have info on this one? http://linuxreviews.org/news/2004-06-11_kernel_crash/index.html Peace __ Do you Yahoo!? Friends. Fun. Try the all-new Yahoo! Messenger. http://messenger.yahoo.com/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Kernel Crash Bug????
Anyone have info on this one? http://linuxreviews.org/news/2004-06-11_kernel_crash/index.html Peace __ Do you Yahoo!? Friends. Fun. Try the all-new Yahoo! Messenger. http://messenger.yahoo.com/
Re: Kernel Crash Bug????
peace bwitchu [EMAIL PROTECTED] writes: Anyone have info on this one? http://linuxreviews.org/news/2004-06-11_kernel_crash/index.html Fixed by Linux here: http://linux.bkbits.net:8080/linux-2.5/diffs/include/asm-i386/[EMAIL PROTECTED]|src/.|src/include|src/include/asm-i386|hist/include/asm-i386/i387.h Phil.
Re: Kernel Crash Bug????
it does crash 2.6.6-1-686 On Mon, Jun 14, 2004 at 09:57:54AM -0700, peace bwitchu wrote: Anyone have info on this one? http://linuxreviews.org/news/2004-06-11_kernel_crash/index.html Peace __ Do you Yahoo!? Friends. Fun. Try the all-new Yahoo! Messenger. http://messenger.yahoo.com/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
