I've been made aware of an old vulnerability in php that makes use of php's symlink command. This appears to still be affective though I've not personally tested it.
I therefore thought it would be sensible to disable it.
I can't think of any script that would need to use it, but you never know.
Have any of you disabled it? Any problems?
disable symlink in php
disable symlink in php
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
Re: disable symlink in php
To my knowledge several vulnerabilities regarding bypassing open_basedir with symlink() have already been fixed a long time ago. If you are using the 5.1 packages from CentOS 5, or the 5.3.x packages from CentOS 6 or ART you should be safe. Although, I am not sure which vulnerability you are talking about specifically. If you have a CVE number, you should be able to look it up of course. If not, could you post more details?
Lemonbit Internet Dedicated Server Management
Re: disable symlink in php
It is an old one that I would have expected to be fixed. But a poster elsewhere insists it works on 5.3.3
http://cxsecurity.com/issue/WLB-2005090062
My reading of this is that it was fixed LONG ago. But poster says he's tried it on 5.3.3 (Centos default, I think?)and it works.
http://cxsecurity.com/issue/WLB-2005090062
My reading of this is that it was fixed LONG ago. But poster says he's tried it on 5.3.3 (Centos default, I think?)and it works.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
Re: disable symlink in php
I have just checked. The exploit does not work on the latest 5.3 from CentOS, nor on the latest 5.3 from ART. Additionally, the WAF rules from ASL will also protect against this exploit.
Lemonbit Internet Dedicated Server Management