[horde] calls to popen()

[Vilius Šumskas]

Sveiki,

Saturday, February 11, 2012, 4:29:09 PM, you wrote:

> Am 11.02.2012 08:16, schrieb Vilius Šumskas:
>> Hi,
>> 
>> Saturday, February 11, 2012, 12:57:10 AM, you wrote:
>> 
>>> what is this after update H3 some minutes ago?
>> 
>>> Feb 10 22:52:52 [30092] ALERT - function within blacklist called:
>>> popen() (attacker '10.0.0.241', file
>>> '/usr/share/horde/lib/Horde/Crypt/pgp.php', line 1696)
>> 
>>> there are existing pear packages and no single need to
>>> open command execution which nobody will do interested
>>> in security for foreign software
>> 
>> There  is nothing wrong with popen() calls. If you "security" software
>> thinks overwise, then it is seriously botched.

> my security software does exactly what i say and if you do
> not configure your servers in a secure way it is your problem
> there is ALL wrong with popen() for a default webapp!

> if there is any single bug with user inputs not correct
> handeled an attacker would have the possibility to execute
> local commands on the machine (with no open_basedir or any
> other php-restrition active) including the ability to
> trigger local (root) exploits if there are one existing

Then  it is a problem of the software which has the exploit or the sys
admin which doesn't update his software.

> to say it clear: a webapp with a bug using such functions makes
> every local exploit to a remote exploit!

Then it is a problem of the webapp, not of the function.

> every sysadmin not blocking the followed functions on
> shared servers and for common applications has to be FIRED

> popen, pclose, exec, passthru, shell_exec, system, proc_open,
> proc_close, proc_nice, proc_terminate,
> proc_get_status, pcntl_exec, apache_child_terminate, posix_kill,
> posix_mkfifo, posix_setpgid, posix_setsid,
> posix_setuid, mail, symlink

You  know  that  safe_mode  is deprecated, right?

-- 
Best regards,
 Vilius