[Tony]

Quote:

Originally Posted by IrPr

If you know PHP language, you will find that c99 myshellexec function requires at least one of exec, system or passthru
so patching c99 execute function can be done by disabling these 3 functions, same for all attack methods implemented in all common php shells

So, why Joomla or Wordpress or vBulletin or PHPBB should use execute functions? there is no need for execute functions in most of common PHP scripts
Indeed just in some special cases such as FFMPEG convert exec functions are needed, believe me

imagemagick is another that requires access to these commands.

So really you're out of luck about supporting applications when a lot of them use these functions. You're damned if you do damned if you don't type of situation.


As for suPHP my point was it has no openbase_dir protection at all. The LSWS implementation does have this while also running PHP as the user. There should be no 777 folders and so doing things outside of your folder is going to be very difficult. It would be quite difficult to do much past the users account unless they're aware of a privilege escalation exploit the system is vulnerable to. If this is the case there are numerous entry points besides PHP or Perl. You have SSH of the user if enabled. You have cron jobs if users can set those. There are several which could be the entry point. I've never seen it attempted via cron but I'm pretty sure it could be done.

I believe cron could be the next way to do this because I've noticed viruses targeting FTP accounts and actually being used to replace index files or mass produce spam systems. It would not surprise me to see it used as an exploit mechanism. If it's not viruses there have also been exploits on popular web hosting billing systems that if the system was storing FTP passwords of users they've probably been compromised. Most of them do store the users original FTP password and most do not change it so probably lots of hosts with users ftp and control panel accounts compromised.


A little off topic from the web server side but there are heck of a lot of potential places to run shells. The response body scanning is just something I'm weary of and I'd rather wait for a really solid solution for handling it rather than a quick one that could be improved with refinement.