Major Security Flaw with apache (apr) on FC3 & FC4
Alexander Dalloz
ad+lists at uni-x.org
Tue Jul 5 11:01:44 UTC 2005
Am Di, den 05.07.2005 schrieb FC um 12:55:
> "chown apache:apache /var/www/html" Was just to test the behaviour
> I am using many virtualhosts on a diff partition and each dir is owned by a different user
> so mentioned the apache.apache for testing purpose :)
>
> I just had a user installing phpfm on his vhost and he had troubles ..
> that's how I found out about this .. suphp wont allow world writeable docroots. reason why he had problems :)
>
> -Philip
Ok, I now better understand. I suggest you contact the phpfm coder(s)
and ask politely why they use code like
@chmod($dir_atual,0777);
chmod 777 for a public accessible content on a webserver is awful, no
question.
Please keep us informed about the feedback.
Do you finally agree that nothing is broken with Apache (apr)? You
should then close this thread with a note in subject.
Alexander
--
Alexander Dalloz | Enger, Germany | GPG http://pgp.mit.edu 0xB366A773
legal statement: http://www.uni-x.org/legal.html
Fedora Core 2 GNU/Linux on Athlon with kernel 2.6.11-1.35_FC2smp
Serendipity 12:54:47 up 9 days, 19:46, load average: 0.32, 0.19, 0.18
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20050705/c27ee3e9/attachment-0001.sig>
More information about the fedora-list
mailing list