[Clipart] fd.o compromised because of our incoming!

Jonathan Leighton lists at turnipspatch.com
Thu Oct 20 02:43:58 PDT 2005

On Thu, 2005-10-20 at 10:04 +0300, Nicu Buculei wrote:
> > 4.  Configure Apache so that executables or scripts
> >     or PHP or whatnot are not run from the incoming
> >     directory, or the clipart directory, or other
> >     such places where they do not belong.  Frankly
> >     I cannot think of any very good reason to allow
> >     anything other than static content outside of the
> >     cgi-bin directory.  (Yeah, we currently have PHP
> >     content outside of cgi-bin, notably in the document
> >     root, but there's no good reason it *needs* to be
> >     that way.)
> As I said before, I don't think this is doable, but we definitely can 
> limit what external programs can be run form a PHP script (with the 
> "system()" command):
> http://ro2.php.net/manual/en/function.system.php
> http://ro2.php.net/manual/en/features.safe-mode.php#ini.safe-mode-exec-dir

I think you can do "php_admin_flag engine off" in .htaccess. If not we
can prevent any .php files being served in that directory. The best
method would be to not have the incoming directory under our document
root though, IMO.

Jonathan Leighton
http://turnipspatch.com/ | http://digital-proof.org/

More information about the clipart mailing list