[horde] calls to popen()

Michael M Slusarz slusarz at horde.org
Tue Feb 14 19:46:03 UTC 2012


Quoting Jan Schneider <jan at horde.org>:

> Zitat von Reindl Harald <h.reindl at thelounge.net>:
>
>> Am 11.02.2012 08:16, schrieb Vilius ?umskas:
>>> Hi,
>>>
>>> Saturday, February 11, 2012, 12:57:10 AM, you wrote:
>>>
>>>> what is this after update H3 some minutes ago?
>>>
>>>> Feb 10 22:52:52 [30092] ALERT - function within blacklist called:
>>>> popen() (attacker '10.0.0.241', file
>>>> '/usr/share/horde/lib/Horde/Crypt/pgp.php', line 1696)
>>>
>>>> there are existing pear packages and no single need to
>>>> open command execution which nobody will do interested
>>>> in security for foreign software
>>>
>>> There  is nothing wrong with popen() calls. If you "security" software
>>> thinks overwise, then it is seriously botched.
>>
>> and the following proves you are wrong
>>
>> open_basedir will isolate vhosts where mod_php is needed
>> popen() and such commands are breakiing out of the vhost
>> if the following happens your whole machine is compromised
>
> This only proves that open_basedir is not much more than a duct tape.

Sort of like suhosin's theory: if we break PHP so you can't use it, it  
is now more secure.  Stupid.

I'm going to start a company that uses all of suhosin's buzzwords and  
then, when hired, I will go to the client's office and disable the  
network interface on the PHP machine.  Ta-da!  That PHP installation  
is now 100% secure!

michael

___________________________________
Michael Slusarz [slusarz at horde.org]



More information about the horde mailing list