[horde] calls to popen()

Vilius Šumskas vilius at lnk.lt
Wed Feb 15 10:19:47 UTC 2012


> Am 14.02.2012 20:46, schrieb Michael M Slusarz:
> > Quoting Jan Schneider <jan at horde.org>:
> >
> >> Zitat von Reindl Harald <h.reindl at thelounge.net>:
> >>
> >>> Am 11.02.2012 08:16, schrieb Vilius ?umskas:
> >>>> Hi,
> >>>>
> >>>> Saturday, February 11, 2012, 12:57:10 AM, you wrote:
> >>>>
> >>>>> what is this after update H3 some minutes ago?
> >>>>
> >>>>> Feb 10 22:52:52 [30092] ALERT - function within blacklist called:
> >>>>> popen() (attacker '10.0.0.241', file
> >>>>> '/usr/share/horde/lib/Horde/Crypt/pgp.php', line 1696)
> >>>>
> >>>>> there are existing pear packages and no single need to
> >>>>> open command execution which nobody will do interested
> >>>>> in security for foreign software
> >>>>
> >>>> There  is nothing wrong with popen() calls. If you "security" software
> >>>> thinks overwise, then it is seriously botched.
> >>>
> >>> and the following proves you are wrong
> >>>
> >>> open_basedir will isolate vhosts where mod_php is needed
> >>> popen() and such commands are breakiing out of the vhost
> >>> if the following happens your whole machine is compromised
> >>
> >> This only proves that open_basedir is not much more than a duct tape.
> >
> > Sort of like suhosin's theory: if we break PHP so you can't use it, it is now
> more secure.  Stupid.
> >
> > I'm going to start a company that uses all of suhosin's buzzwords and then,
> when hired, I will go to the client's
> > office and disable the network interface on the PHP machine.  Ta-da!  That
> PHP installation is now 100% secure!
> 
> stop such nonsense
> 
> there is NOTHING broken if anybody disables shell-access through PHP
> anybody who allows it should consider no longer maintain any
> production servers!

What is a shell-access? It is access to the filesystem, that's all. PHP as a programming language have gazilion ways accessing a filesystem below, including file uploads and don't forget sockets. And blocking those totally criples all major applications. Other web programming languages doesn't even have such "security" configuration parameters. And for a good reason. It makes no sense. You have to ensure security on the system level, be it cgroups, jails, selinux or apparmor.

-- 
   Vilius



More information about the horde mailing list