disable symlink in php

faris · Unread post by **faris** » Wed May 01, 2013 6:00 pm

I've been made aware of an old vulnerability in php that makes use of php's symlink command. This appears to still be affective though I've not personally tested it.

I therefore thought it would be sensible to disable it.

I can't think of any script that would need to use it, but you never know.

Have any of you disabled it? Any problems?

prupert · Unread post by **prupert** » Wed May 01, 2013 6:09 pm

To my knowledge several vulnerabilities regarding bypassing open_basedir with symlink() have already been fixed a long time ago. If you are using the 5.1 packages from CentOS 5, or the 5.3.x packages from CentOS 6 or ART you should be safe. Although, I am not sure which vulnerability you are talking about specifically. If you have a CVE number, you should be able to look it up of course. If not, could you post more details?

faris · Unread post by **faris** » Thu May 02, 2013 10:58 am

It is an old one that I would have expected to be fixed. But a poster elsewhere insists it works on 5.3.3

http://cxsecurity.com/issue/WLB-2005090062

My reading of this is that it was fixed LONG ago. But poster says he's tried it on 5.3.3 (Centos default, I think?)and it works.

prupert · Unread post by **prupert** » Thu May 02, 2013 11:10 am

I have just checked. The exploit does not work on the latest 5.3 from CentOS, nor on the latest 5.3 from ART. Additionally, the WAF rules from ASL will also protect against this exploit.

Atomicorp

disable symlink in php

disable symlink in php

Re: disable symlink in php

Re: disable symlink in php

Re: disable symlink in php