Fraser Campbell wrote:
On Sunday 12 December 2004 17:46, Marek Podmaka wrote:
I don't want to give hints on how to exploit this, but the attacker
did wget the .tgz file, unpacked it in /tmp and run the program.
So update all your phpBB installations ASAP (and of course all
installations of your
Francesco P. Lovergine said:
> I run apache using dchroot to avoid the most common problems.
> Breaking a chroot is possible, but not so easy and it's more
> difficult within dchroot which _should_ drops privileges properly AFAIK
Hi Fraser,
On Mon, 13 Dec 2004 07:53:38 -0500
Fraser Campbell <[EMAIL PROTECTED]> wrote:
> In my case I doubt it since much of postfix lives there. It might be
> possible in certain cases though I'm not sure.
Maybe you could make 2 partitions:
/var mounted noexec and /var/spool/postfix mounted ex
also sprach Jerome Vandenabeele <[EMAIL PROTECTED]> [2004.12.14.1200 +0100]:
> Maybe you could make 2 partitions: /var mounted noexec and
> /var/spool/postfix mounted exec
I hope you are running a 2.6 kernel if you rely on the exec flag.
Sorry for barking into this thread, which I have not followe
On Mon, Dec 13, 2004 at 01:44:41PM +0200, Boris Pavlov wrote:
>
> limit with php opendir. make another tmp directory, and set php temp dir,
> with all permissions you want. limit the system function, if you don't need
> it. they are a per-vhost apache settings, check the manuals.
>
I run apac
On Monday 13 December 2004 03:31, Marek Podmaka wrote:
> Yes, I have been doing the same with /tmp, but some debian packages
> won't install on noexec /tmp. But there are other directorieso n my
> system which are world writable - for example /var/tmp and
> /var/lock.
If you've configured
better look at your php4 settings:
limit with php opendir. make another tmp directory, and set php temp dir,
with all permissions you want. limit the system function, if you don't need
it. they are a per-vhost apache settings, check the manuals.
wwell edi
Fraser Campbell writes:
On Sunday
On Mon, 13 Dec 2004, Marek Podmaka wrote:
> Yes, I have been doing the same with /tmp, but some debian packages
> won't install on noexec /tmp. But there are other directorieso n my
> system which are world writable - for example /var/tmp and
> /var/lock.
If you can make /tmp noexec, you c
Hello Fraser,
Yes, I have been doing the same with /tmp, but some debian packages
won't install on noexec /tmp. But there are other directorieso n my
system which are world writable - for example /var/tmp and
/var/lock.
Can entire /var be mounted noexec?
Monday, December 13, 2004, 4:17
On Sunday 12 December 2004 17:46, Marek Podmaka wrote:
> I don't want to give hints on how to exploit this, but the attacker
> did wget the .tgz file, unpacked it in /tmp and run the program.
>
> So update all your phpBB installations ASAP (and of course all
> installations of your customer
Hello debian-isp,
maybe little off-topic, but I want to remind you of this phpBB
vulnerability, which is fixed in version 2.0.11 (announced on 18th
November) which "addresses a potentially serious exploit".
I am writing this because it's not potentional, but real. Before 2
weeks, someon
11 matches
Mail list logo
