[horde] calls to popen()

Reindl Harald h.reindl at thelounge.net
Sat Feb 11 14:29:09 UTC 2012

Am 11.02.2012 08:16, schrieb Vilius Šumskas:
> Hi,
> Saturday, February 11, 2012, 12:57:10 AM, you wrote:
>> what is this after update H3 some minutes ago?
>> Feb 10 22:52:52 [30092] ALERT - function within blacklist called:
>> popen() (attacker '', file
>> '/usr/share/horde/lib/Horde/Crypt/pgp.php', line 1696)
>> there are existing pear packages and no single need to
>> open command execution which nobody will do interested
>> in security for foreign software
> There  is nothing wrong with popen() calls. If you "security" software
> thinks overwise, then it is seriously botched.

my security software does exactly what i say and if you do
not configure your servers in a secure way it is your problem
there is ALL wrong with popen() for a default webapp!

if there is any single bug with user inputs not correct
handeled an attacker would have the possibility to execute
local commands on the machine (with no open_basedir or any
other php-restrition active) including the ability to
trigger local (root) exploits if there are one existing

to say it clear: a webapp with a bug using such functions makes
every local exploit to a remote exploit!

every sysadmin not blocking the followed functions on
shared servers and for common applications has to be FIRED

popen, pclose, exec, passthru, shell_exec, system, proc_open, proc_close, proc_nice, proc_terminate,
proc_get_status, pcntl_exec, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid,
posix_setuid, mail, symlink

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.horde.org/archives/horde/attachments/20120211/180c6aa0/attachment.bin>

More information about the horde mailing list