[horde] calls to popen()

Jan Schneider jan at horde.org
Sat Feb 11 20:28:27 UTC 2012 

Zitat von Reindl Harald <h.reindl at thelounge.net>:

> Am 11.02.2012 15:43, schrieb Vilius ?umskas:
>>> if there is any single bug with user inputs not correct
>>> handeled an attacker would have the possibility to execute
>>> local commands on the machine (with no open_basedir or any
>>> other php-restrition active) including the ability to
>>> trigger local (root) exploits if there are one existing
>>
>> Then  it is a problem of the software which has the exploit or the sys
>> admin which doesn't update his software.
>
> and you are 100% sure that horde never has a bug
> which is exploitet before an update exists?
>
>>> to say it clear: a webapp with a bug using such functions makes
>>> every local exploit to a remote exploit!
>>
>> Then it is a problem of the webapp, not of the function.
>
> and anybody interested in security does not allow
> execution of shell-commands for webapps so that
> currently unknown problems are even not exploitable
> if they are disclosed at a time where no fix is available
>
>>> every sysadmin not blocking the followed functions on
>>> shared servers and for common applications has to be FIRED
>>
>>> popen, pclose, exec, passthru, shell_exec, system, proc_open,
>>> proc_close, proc_nice, proc_terminate,
>>> proc_get_status, pcntl_exec, apache_child_terminate, posix_kill,
>>> posix_mkfifo, posix_setpgid, posix_setsid,
>>> posix_setuid, mail, symlink
>>
>> You  know  that  safe_mode  is deprecated, right?
>
> you know that you have no idea about what you are speaking?
> what has this to do with safe_mode????????
>
> SUHOSIN is that piece of software which blocked the some days
> ago fixed remote-security-bug in PHP and many thousands generic
> attacks in the last years and has nothing to do with safe_mode
>
> also php has builtin "disable_functions" (but not per-site) what has
> also NOTHING to do with safe_mode - so please stop to explain people
> the world without having any education in security-topics
>
> php_admin_value suhosin.executor.func.blacklist "popen, pclose,  
> exec, passthru, shell_exec, system, proc_open,
> proc_close, proc_nice, proc_terminate, proc_get_status, pcntl_exec,  
> apache_child_terminate, posix_kill,
> posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, mail, symlink"

Nobody forces you to use PGP functionality, or *any* functionality  
that uses proc_open etc, in Horde if you are paranoid. It's your  
choice. There is no alternative.
Jan.

-- 
Do you need professional PHP or Horde consulting?
http://horde.org/consulting/

More information about the horde mailing list