No executables in /tmp

Matthew Frederico mfrederico at gmail.com
Mon Apr 10 19:07:36 MDT 2006


On 3/27/06, Jeff Schroeder <jeff at zingstudios.net> wrote:
>
> Bryan:
> The catalyst that began all this is some PHP apps installed on my
> servers (by web hosting customers) are vulnerable... phpBB is a
> particularly big offender.  There are well-known exploits that allow a
> file to be saved to /tmp and run via the Perl interpreter.  Rather than
> tell my customers to take a hike, I wanted to find a way to prevent the
> exploit (which is better security policy anyway).


Had the same problem with those pesky script kiddies.

run php in safe mode / without url fopen wrappers (which is the actual
issue), and  with open_basedir in effect.  Make the basedir the user home
dir and other php include dirs.  Apache will write to /tmp by itself for
sessions etc becaues it doesn't live by the rules of PHP.

It will cost you in a bit more admin work but save your neck from being
chopped at your provider.

Hackville Pop 2

--
--
-- Matthew Frederico
http://www.ultrize.com
http://www.suspendedstudios.com
----------------------------------
Cell: (518)365-9841
Office: (361)288-3331



More information about the PLUG mailing list