No executables in /tmp
jeff at zingstudios.net
Mon Mar 27 16:53:49 MST 2006
> Does apache spawn new perl processes? I thought that
> mod_perl was part of the apache process. How could someone exec a
> new perl command on your machine via mod_perl? Doesn't mod_perl
> prevent (or at least provide a way to secure) exec and eval calls?
Honestly, I don't mess with mod_perl much. I'm a PHP programmer ( /me
dons asbestos shirt) so I don't know the internals of how mod_perl does
the magic. I'll have to read up on it before implementing something
The catalyst that began all this is some PHP apps installed on my
servers (by web hosting customers) are vulnerable... phpBB is a
particularly big offender. There are well-known exploits that allow a
file to be saved to /tmp and run via the Perl interpreter. Rather than
tell my customers to take a hike, I wanted to find a way to prevent the
exploit (which is better security policy anyway).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 191 bytes
Desc: not available
Url : http://plug.org/pipermail/plug/attachments/20060327/6d4d80f4/attachment.bin
More information about the PLUG