-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 11 Apr 2001, Matthias Auchmann wrote:
Hi all !
I hope this is the right list to discuss this, but I think it's a real security problem:
What's wrong with my apache ? From a skript like:
#!/usr/bin/perl print "Content-Type: text/html\n\n"; open HUGO, "/etc/httpd/httpd.conf"; while ($a = <HUGO>) { print $a; }
or
<?php if (!$i) $i = "/etc/passwd"; readfile($i); print $i; ?>
I can publish the whole system, every config file, firewall-rules that are world-readable ... everything. and lots of files are, by default, world-readable ... I could start to make all of them NOT world readable, but isn't there another way ?
You could start disabling scripting and then designate a specific directory to allow scripting in, where only the administrator can write scripts to. So one can scrutinize scripts before they are put in production. You could also chroot your apache, but then you'll have a _lot_ to configure (and copy) I believe. - -- Groetjes vanwege... Greetings from... -- - -- Dieter Demerre *** ddemerre@acm.org -- - -- http://www.angelfire.com/de/ddemerre/ -- - -----BEGIN GEEK CODE BLOCK----- Version: 3.12 GCS/d- s+:++ a-()>-- C+ UH P++(+) L++ E W++ N+ o K? w o V M PS+ PE- Y+ PGP+ t 5? X+ R+> tv+ b+ DI D G e+++ h+> r% z- - ------END GEEK CODE BLOCK------ -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQA/AwUBOtVZ8glG34XnM6kpEQLn6ACguCWLPcXzSxXERcdEOBX8FbBadEQAoPP3 W/V4sbwXcpRkUuvBt5YyMQn1 =XvTr -----END PGP SIGNATURE-----