Discussion in 'PHP' started by masood_y, Apr 23, 2009.
Do you have any idea for patch PHP suEXEC with "ln" command?
PHP suEXEC is enale on my server.
But users can link to outside him directory with "ln" and seee other sites configuration files.
And its a big security issue.
Everything follow Linux/Unix file system permission, there is no magic.
Maybe, you should prevent user from execute "ln" from PHP by tighten the grip on php.ini .
use "If Owner Match"
Problem not solved by doing above tuning.
Please check your private message for see bug details.
Also need to set http://www.litespeedtech.com/docs/webserver/config/security/#checkSymbolLink
Is not resolved too.
There is no way to prevent the perl script from creating a symbolic link, unless you disable perl.
The best can be done is to block access to target file pointed to the symbolic link, above configuration changes does that.
Separate names with a comma.