Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Vulnerable to symlink attack notice while trying to upgrade lighttpd.
Operating Systems Linux Debian Vulnerable to symlink attack notice while trying to upgrade lighttpd. Post 302854913 by Jonathan Sander on Wednesday 18th of September 2013 03:35:39 PM
Old 09-18-2013
Vulnerable to symlink attack notice while trying to upgrade lighttpd.
I got this while I tried to upgrade my server and have been unable to find any explanations for what I could do while I have searched after an solution. I were an bit uncertain about how to search for an answer and have tried with some searches that I think should have been good enough as well with searches much like "symlink attack", "forged php attack". I can not understand that I could have modified the file /etc/lighttpd/conf-available/15-fastcgi-php.conf and have therefore not changed the file by setting the "socket" => "/var/run/lighttpd/php.socket". Could someone please tell me how to fix this issue that seem to appear each time my upgrade are about to deal with the lighttpd package.

Quote:
lighttpd (1.4.28-2+squeeze1.3) stable-security; urgency=high

The default Debian configuration file for PHP invoked from FastCGI was
vulnerable to local symlink attacks and race conditions when an attacker
manages to control the PHP socket file (/tmp/php.socket up to 1.4.31-3)
before the web server started. Possibly the web server could have been
tricked to use a forged PHP.

The problem lies in the configuration, thus this update will fix the problem
only if you did not modify the file /etc/lighttpd/conf-available/15-fastcgi-php.conf
If you did, dpkg will not overwrite your changes. Please make sure to set

"socket" => "/var/run/lighttpd/php.socket"

yourself in that case.

-- Arno Töll <arno@debian.org> Thu, 14 Mar 2013 01:57:42 +0100

lighttpd (1.4.28-2+squeeze1.1) stable-security; urgency=high

To fix a security vulnerability in the design of the SSL/TLS protocol
(CVE-2009-3555), the protocol had to be extended (RFC 5746). By default,
session renegotiation is no longer supported with old clients that do not
implement this extension. This breaks certain configurations with client
certificate authentication. If you still need to support old clients, you
may restore the old (insecure) behaviour by adding the configuration option

ssl.disable-client-renegotiation = "disable"

to /etc/lighttpd/lighttpd.conf.

-- Thijs Kinkhorst <thijs@debian.org> Thu, 14 Feb 2013 19:42:19 +0100
Regards Jonathan Sander Stensvold Hol.
Last edited by Jonathan Sander; 09-18-2013 at 04:41 PM..
 

3 More Discussions You Might Find Interesting

1. News, Links, Events and Announcements

Flaw leaves Linux computers vulnerable

NEWS: Flaw leaves Linux computers vulnerable http://news.com.com/2100-1001-857265.html A flaw in a software-compression library used in all versions of Linux could leave the lion's share of systems based on the open-source operating system open to attack, said sources in the security... (3 Replies)
Discussion started by: killerserv
3 Replies

2. Shell Programming and Scripting

ln -s creates symlink in symlink, if [ -f ... ] says file that exists doesn't exist

Hi Forums, I got a little problem, I made a few modifications to the code of the launch script of a testing server(minecraft) and now updating is broken aswell as the automatic directory creation. These Lines somehow create an endless symlink that refers to itself and I don't know how to fix... (0 Replies)
Discussion started by: Xaymar
0 Replies

3. Debian

Lighttpd problem

Hi please help, sudden problem. (Without modification) My server ~ 3-4 days ago, daily 4-5x timeout problem (slow loading my website). Always the problem occurs every 4 hours!!! (No cronjob) 5500-28000 ms loading time 2-3 minutes and after resolves. 3-4 days before anything about not set the... (10 Replies)
Discussion started by: nenmart
10 Replies

LEARN ABOUT MOJAVE

php-fpm

PHP-FPM(8)							Scripting Language							PHP-FPM(8)

NAME

       php-fpm - PHP FastCGI Process Manager 'PHP-FPM'

SYNOPSIS

       php-fpm [options]

DESCRIPTION

       PHP  is	a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML. This
       is a variant of PHP that will run in the background as a daemon, listening for CGI requests. Output is logged to /usr/var/log/php-fpm.log.

       Most options are set in the configuration file. The configuration file is /private/etc/php-fpm.conf. By default, php-fpm  will  respond	to
       CGI  requests  listening  on localhost http port 9000. Therefore php-fpm expects your webserver to forward all requests for '.php' files to
       port 9000 and you should edit your webserver configuration file appropriately.

OPTIONS

       -C	      Do not chdir to the script's directory

       --php-ini path|file
       -c path|file   Look for php.ini file in the directory path or use the specified file

       --no-php-ini
       -n	      No php.ini file will be used

       --define foo[=bar]
       -d foo[=bar]   Define INI entry foo with value bar

       -e	      Generate extended information for debugger/profiler

       --help
       -h	      This help

       --info
       -i	      PHP information and configuration

       --modules
       -m	      Show compiled in modules

       --version
       -v	      Version number --prefix path

       -p	      Specify alternative prefix path (the default is /usr)

       --pid file
       -g	      Specify the PID file location.

       --fpm-config file
       -y	      Specify alternative path to FastCGI process manager configuration file (the default is /private/etc/php-fpm.conf)

       --test
       -t	      Test FPM configuration file and exit If called twice (-tt), the configuration is dumped before exiting.

       --daemonize
       -D	      Force to run in background and ignore daemonize option from configuration file.

       --nodaemonize
       -F	      Force to stay in foreground and ignore daemonize option from configuration file.

       --force-stderr
       -O	      Force output to stderr in nodaemonize even if stderr is not a TTY.

       --allow-to-run-as-root
       -R	      Allow pool to run as root (disabled by default)

FILES

       php-fpm.conf   The configuration file for the php-fpm daemon.

       php.ini	      The standard php configuration file.

EXAMPLES

       For any unix systems which use init.d for their main process manager, you should use the init script provided to start and stop the php-fpm
       daemon.

	      sudo /etc/init.d/php-fpm start

       For  any unix systems which use systemd for their main process manager, you should use the unit file provided to start and stop the php-fpm
       daemon.

	      sudo systemctl start php-fpm.service

       If your installation has no appropriate init script, launch php-fpm with no arguments. It will launch as a daemon (background  process)	by
       default.  The  file  /usr/var/run/php-fpm.pid  determines whether php-fpm is already up and running. Once started, php-fpm then responds to
       several POSIX signals:

	      SIGINT,SIGTERM	  immediate termination
	      SIGQUIT		  graceful stop
	      SIGUSR1		  re-open log file
	      SIGUSR2		  graceful reload of all workers + reload of fpm conf/binary

TIPS

       The PHP-FPM CGI daemon will work well with most popular webservers, including Apache2, lighttpd and nginx.

SEE ALSO

       The PHP-FPM website:
       http://php-fpm.org

       For a more or less complete description of PHP look here:
       http://www.php.net/manual/

       A nice introduction to PHP by Stig Bakken can be found here:
       http://www.zend.com/zend/art/intro.php

BUGS

       You can view the list of known bugs or report any new bug you found at:
       http://bugs.php.net

AUTHORS

       PHP-FPM SAPI was written by Andrei Nigmatulin. The mailing-lists are highload-php-en (English) and highload-php-ru (Russian).

       The PHP Group: Thies C. Arntzen, Stig Bakken, Andi Gutmans, Rasmus Lerdorf, Sam Ruby, Sascha Schumann, Zeev Suraski, Jim  Winstead,  Andrei
       Zmievski.

       A List of active developers can be found here:
       http://www.php.net/credits.php

       And last but not least PHP was developed with the help of a huge amount of contributors all around the world.

VERSION INFORMATION

       This manpage describes php-fpm, version 7.1.19.

COPYRIGHT

       Copyright (C) 1997-2018 The PHP Group
       Copyright (c) 2007-2009, Andrei Nigmatulin

       This  source  file  is  subject to version 3.01 of the PHP license, that is bundled with this package in the file LICENSE, and is available
       through the world-wide-web at the following url:
       http://www.php.net/license/3_01.txt

       If you did not receive a copy of the PHP license and  are  unable  to  obtain  it  through  the	world-wide-web,  please  send  a  note	to
       license@php.net so we can mail you a copy immediately.

The PHP Group							       2018								PHP-FPM(8)
All times are GMT -4. The time now is 11:12 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy