[horde] calls to popen()
Michael M Slusarz
slusarz at horde.org
Tue Feb 14 19:46:03 UTC 2012
Quoting Jan Schneider <jan at horde.org>:
> Zitat von Reindl Harald <h.reindl at thelounge.net>:
>
>> Am 11.02.2012 08:16, schrieb Vilius ?umskas:
>>> Hi,
>>>
>>> Saturday, February 11, 2012, 12:57:10 AM, you wrote:
>>>
>>>> what is this after update H3 some minutes ago?
>>>
>>>> Feb 10 22:52:52 [30092] ALERT - function within blacklist called:
>>>> popen() (attacker '10.0.0.241', file
>>>> '/usr/share/horde/lib/Horde/Crypt/pgp.php', line 1696)
>>>
>>>> there are existing pear packages and no single need to
>>>> open command execution which nobody will do interested
>>>> in security for foreign software
>>>
>>> There is nothing wrong with popen() calls. If you "security" software
>>> thinks overwise, then it is seriously botched.
>>
>> and the following proves you are wrong
>>
>> open_basedir will isolate vhosts where mod_php is needed
>> popen() and such commands are breakiing out of the vhost
>> if the following happens your whole machine is compromised
>
> This only proves that open_basedir is not much more than a duct tape.
Sort of like suhosin's theory: if we break PHP so you can't use it, it
is now more secure. Stupid.
I'm going to start a company that uses all of suhosin's buzzwords and
then, when hired, I will go to the client's office and disable the
network interface on the PHP machine. Ta-da! That PHP installation
is now 100% secure!
michael
___________________________________
Michael Slusarz [slusarz at horde.org]
More information about the horde
mailing list