Gordon Messmer wrote:
> On 08/29/2010 05:51 AM, Stephen Harris wrote:
>
>> There's nothing special about /proc/$$/environ. All the variables in there
>> are already available to the process. eg
>>
>
> Yes, and the shell could even be made to do as you wanted if you could
> convince a script to "source /proc/$$/environ". You don't see many web
> services written in POSIX sh, though.
>
>
>> Badly written CGI programs are badly written CGI programs no matter
>> what language they're written in. The exact nature of the exploit may
>> be different, but they all fall into a similar class - the programmer
>> ****ed up.
>>
>
> Yes, that's true, but the original message in this thread saw an attempt
> to load /proc/self/environ through a php script. You're getting pretty
> far off topic, now.
> _______________________________________________
> CentOS mailing list
> CentOS@xxxxxxxxxx
> http://lists.centos.org/mailman/listinfo/centos
>
I think running apache in a chroot environment might be one of the most
effective protections. I used to do that in the past, but I found it
too much work to maintain. Now there are things like mod_chroot and
perhaps other tools, but I have no experience with them and don't know
if they make it easier.
Nataraj
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
