[horde] calls to popen()

Reindl Harald h.reindl at thelounge.net
Wed Feb 15 09:53:39 UTC 2012



Am 14.02.2012 20:46, schrieb Michael M Slusarz:
> Quoting Jan Schneider <jan at horde.org>:
> 
>> Zitat von Reindl Harald <h.reindl at thelounge.net>:
>>
>>> Am 11.02.2012 08:16, schrieb Vilius ?umskas:
>>>> Hi,
>>>>
>>>> Saturday, February 11, 2012, 12:57:10 AM, you wrote:
>>>>
>>>>> what is this after update H3 some minutes ago?
>>>>
>>>>> Feb 10 22:52:52 [30092] ALERT - function within blacklist called:
>>>>> popen() (attacker '10.0.0.241', file
>>>>> '/usr/share/horde/lib/Horde/Crypt/pgp.php', line 1696)
>>>>
>>>>> there are existing pear packages and no single need to
>>>>> open command execution which nobody will do interested
>>>>> in security for foreign software
>>>>
>>>> There  is nothing wrong with popen() calls. If you "security" software
>>>> thinks overwise, then it is seriously botched.
>>>
>>> and the following proves you are wrong
>>>
>>> open_basedir will isolate vhosts where mod_php is needed
>>> popen() and such commands are breakiing out of the vhost
>>> if the following happens your whole machine is compromised
>>
>> This only proves that open_basedir is not much more than a duct tape.
> 
> Sort of like suhosin's theory: if we break PHP so you can't use it, it is now more secure.  Stupid.
> 
> I'm going to start a company that uses all of suhosin's buzzwords and then, when hired, I will go to the client's
> office and disable the network interface on the PHP machine.  Ta-da!  That PHP installation is now 100% secure!

stop such nonsense

there is NOTHING broken if anybody disables shell-access through PHP
anybody who allows it should consider no longer maintain any
production servers!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.horde.org/archives/horde/attachments/20120215/a2e5e83b/attachment.bin>


More information about the horde mailing list