BugTraq
Name:
Email:
*Note: Email address will appear as "user domain ext" to prevent harvesting.
Subject:
Message:
 
Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Aug 13 2013 07:57PM
Reindl Harald (h reindl thelounge net)


Am 13.08.2013 21:36, schrieb Stefan Kanthak:
>> *define what is secure* and make sure you define it by context
>>
>> unlink('file_my_script_wrote'); is fine
>
> No, its UNSAFE!
> The standard use case of PHP is "preprocessor for HTTP demon".
> There is ABSOLUTELY no need to allow the preprocessor...

[ more ]  
 

Privacy Statement
Copyright 2010, SecurityFocus