What can happen if you leave them turned on?
Description
Stefan Esser has reported a vulnerability in PHP, which can be exploited by malicious, local users to bypass certain security restrictions.
The vulnerability is caused due to a race condition in the handling of symlinks and can be exploited to bypass the open_basedir protection mechanism.
The vulnerability has been reported in PHP4 and PHP5.
Solution
Disable the "symlink()" function in php.ini.
PHP's symlink function is independent of whether Apache can follow symbolic links. Elgg does not require symbolic link support from either Apache or PHP. You'll be fine with both turned off if you choose to do that.
Thank you guys!
info@elgg.org
Security issues should be reported to security@elgg.org!
©2014 the Elgg Foundation
Elgg is a registered trademark of Thematic Networks.
Cover image by RaĆ¼l Utrera is used under Creative Commons license.
Icons by Flaticon and FontAwesome.