Rootkit
Andy Green
andy at warmcat.com
Tue Oct 23 08:04:28 UTC 2007
Somebody in the thread at some point said:
> On Tuesday 23 October 2007 09:30:01 Andy Green wrote:
>
>> But it seems to me it's not where the real problems are for servers.
>> The real problems are in PHP or other scripts that accept user input as
>> PHP code or database queries one way or another, and it won't really
>> help since the attacker is running the properly signed stuff. There's a
>> lot of bad things the attacker can do with PHP commands, shell commands,
>> alias, config files, etc that all run in 'authorized' contexts.
>>
>
> Maybe I'm taking wrong the point but, this could be avoid by using php open
> basedir, right?
Some things can be avoided by that... I use safe_mode on and
open_basedir, safe_mode_exec_dir and more. But watching people trying
to hack Tikiwki was very educational. One of the things they were after
was to dump the Tikiwiki config file that contained the database
credentials, which they could have done despite the .htaccess in there
from inside the vulnerable PHP. I guess they would have tried those
credentials on a login, modified the tikiwiki contents to be spam, drop
javascript trojans, who knows what.
We are ALL *one* flaw in something away from being cracked, open_basedir
or not.
-Andy
More information about the fedora-list
mailing list