Difference between revisions of "Vuln php posix setpgid"

From Atomicorp Wiki
Jump to: navigation, search
(Created page with "= PHP function posix_setpgid() allows an attacker to set a processes GID = HP function posix_setpgid() allows allows a user, application or attacker to change to change the g...")
 
m
 
Line 1: Line 1:
 
= PHP function posix_setpgid() allows an attacker to set a processes GID =
 
= PHP function posix_setpgid() allows an attacker to set a processes GID =
  
HP function posix_setpgid() allows allows a user, application or attacker to change to change the group  the process is running as.  This may make it possible for an attacker to gain elevated privileges on the system, or access to parts of the system they should not have access to.  This could potentially lead to compromise of the system.
+
The PHP function posix_setpgid() allows allows a user, application or attacker to change to change the group  the process is running as.  This may make it possible for an attacker to gain elevated privileges on the system, or access to parts of the system they should not have access to.  This could potentially lead to compromise of the system.
  
 
= Next Steps =
 
= Next Steps =

Latest revision as of 19:50, 10 February 2012

[edit] PHP function posix_setpgid() allows an attacker to set a processes GID

The PHP function posix_setpgid() allows allows a user, application or attacker to change to change the group the process is running as. This may make it possible for an attacker to gain elevated privileges on the system, or access to parts of the system they should not have access to. This could potentially lead to compromise of the system.

[edit] Next Steps

If this risk is unacceptable for your system, then you will want to disable this capability in PHP.

Step 1: Log into the ASL GUI, click on Configuration and select the ASL configuration menu option. This will open the ASL configuration screen.

Step 2: Scroll down to PHP_CHECKS and make sure this is set to "yes". By default ASL will only warn about PHP vulnerabilities. If you set this to yes, it will also fix these vulnerabilities. If this is set to "no" the next step will not work, so set this to "yes".

Step 3: Scroll down to ALLOW_posix_setpgid and set this to "no".

Step 4: Click the "update" button.

This will resolve this vulnerability.

Personal tools