Am 28.10.2013 20:49, schrieb Michael Orlitzky: > On 10/28/2013 03:14 PM, Douglas Mortensen wrote: >> If a customer has vulnerable PHP code on a website, some of these >> will allow a remote file upload. I have seen cases where they upload >> a PHP script that is a sort of web-based console/shell to the server >> (file-system, etc.). It provides several tools which all run through >> the uploaded PHP script to try to brute force and do other attacks. >> I've seen attempts at a root exploit. We've never had a root exploit >> and any such case of a customer's site being hacked has been easily >> contained by simple filesystem permissions being correct (and the >> fact that we have apache setup to run all scripts as the user who is >> the owner of the script files, which confines the script to that >> users' permissions). Still nobody loves the idea of bad guys trying >> to hack on your box. > > If an attacker gets root, the entire exercise is pointless, because he > can get the decryption key. So you "don't have to worry" about that case =) > > A suggestion, not dovecot-related: > > The web users -- in our case, www.example.com -- shouldn't have access > to anything outside of the web root. You can achieve this within PHP by > placing everything that the website will need under one directory, and > setting (in apache): > > php_admin_value open_basedir /var/www/$domain/$host/ > php_admin_value upload_tmp_dir /var/www/$domain/$host/tmp > php_admin_value session.save_path /var/www/$domain/$host/tmp > php_admin_value sys_temp_dir /var/www/$domain/$host/tmp
oh no - do *not* place the sesiondata anywhere inside open_basdir this is one of the badest things you can do because any otherwise harmless script bypassed whatever security restriction will be able to read *any* session data but hey, also PHP upstream a few years ago had no clue about session-security https://bugs.php.net/bug.php?id=42077
signature.asc
Description: OpenPGP digital signature