DaemonForums  

Go Back   DaemonForums > NetBSD > NetBSD General

NetBSD General Other questions regarding NetBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 13th February 2011
classicmanpro's Avatar
classicmanpro classicmanpro is offline
Real Name: Turea Alexandru Teodor
Fdisk Soldier
 
Join Date: Oct 2010
Location: Romania (SE Europe)
Posts: 49
Thanked 1 Time in 1 Post
Question *AMP Security: suPHP and CGI

Quote from the suPHP documentation:

Quote:
Please note, that running mod_suphp and mod_php concurrently can be
*VERY DANGEROUS* and should be avoided. The same applies to CGI
scripts which are run with webserver privileges.

suPHP should only be used if you are using no CGI scripts or if all CGI
scripts are run using suExec.
Does this warning apply to ALL CGI scripts or to PHP CGI scripts only? ... I've scouted the internet for security guidelines regarding this issue but none seem to cover suPHP.

I'm asking this because I would like to use suPHP and PERL scripts (handler for PL files) concurrently. Are there any security implications?
__________________
A daemon in need is a daemon indeed.
Reply With Quote
  #2   (View Single Post)  
Old 14th February 2011
classicmanpro's Avatar
classicmanpro classicmanpro is offline
Real Name: Turea Alexandru Teodor
Fdisk Soldier
 
Join Date: Oct 2010
Location: Romania (SE Europe)
Posts: 49
Thanked 1 Time in 1 Post
Post

I've analyzed the setup of three distinct hosting providers and they all had suPHP and PERL handlers ... active and running concurrently.

For the moment, my best guess is that only suPHP shouldn't be used for CGI.

Quote:
If one uses the regular PHP CGI binary, all scripts are run using the rights of the server (limited damage if files have 0644) but, in case of suPHP, the CGI binary runs the scripts using the owner's privileges (unlimited access in the user's home).
The worst scenario would be a local file exposure, that is, one might create a script for the suPHP CGI binary, place it in cgi-bin and be able to modify files which otherwise couldn't be modified.

Please correct me if I'm wrong.
__________________
A daemon in need is a daemon indeed.
Reply With Quote
Reply

Tags
apache, cgi, suphp

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Security by default bettyblue OpenBSD Security 4 30th May 2010 08:30 PM
Virtualization security J65nko General software and network 2 16th February 2010 01:30 AM
NetBSD New security advisories J65nko News 0 16th January 2010 12:05 PM


All times are GMT. The time now is 05:24 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick