Home page logo

bugtraq logo Bugtraq mailing list archives

Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure
From: James Birk <jamesbirk () gmail com>
Date: Tue, 13 Aug 2013 08:11:37 -0400

On Aug 13, 2013, at 3:55 AM, Reindl Harald <h.reindl () thelounge net> wrote:

Am 13.08.2013 00:42, schrieb Brandon M. Graves:
I hate to come late to the party, but following all of this, it is kind of

I have to agree with those before in saying software should ship secure.
in my environment whenever we are given a new bit to add to our
infrastructure, be it a new server, new version of an OS, or new version
of a software, either A) it comes to us from those at our distribution
point pre templated to be unusable due to security, or B) we first make
it unusable by configuring every possible security setting to be as tight
as possible...

nobody said anything else

but "Apache suEXEC privilege elevation" is *not* a suEXEC
problem and that's the whole point - people in this thread
mixing a lot of different things partly with no clue

Precisely.  This entire thread is filled with people who not only do not know how Apache works, but how Bugtraq works 
either.  That said, this issue is of course not a bug, but a feature-- a feature which if used, opens a mild to 
moderate vulnerability which can be corrected on the substrate in any number of ways.

So y'all need to sit down.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]