limit with php opendir. make another tmp directory, and set php temp dir, with all permissions you want. limit the system function, if you don't need it. they are a per-vhost apache settings, check the manuals.
wwell edi
Fraser Campbell writes:
On Sunday 12 December 2004 17:46, Marek Podmaka wrote:I don't want to give hints on how to exploit this, but the attacker
did wget the .tgz file, unpacked it in /tmp and run the program.
So update all your phpBB installations ASAP (and of course all installations of your customers).
On a somewhat related note ...
I have the habit of mount /tmp with noexec,nosuid,nodev. I also mount /usr and /boot ro. These minor changes can prevent common automated attacks (probably the one you encountered) and don't cause any problems.
--
Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/
Georgetown, Ontario, Canada Debian GNU/Linux
-- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]