Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure
From: Jeffrey Walton <noloader () gmail com>
Date: Sat, 10 Aug 2013 06:49:58 -0400

On Sat, Aug 10, 2013 at 6:10 AM, Gichuki John Chuksjonia
<chuksjonia () gmail com> wrote:
One thing u gotta remember most of the Admins who handle webservers in
a network are also developers since most of the organizations will
always need to cut on expenses, and as we know, most of the developers
will just look into finishing work and making it work. So if something
doesn't run due to httpd.conf, you will find these guys loosening
server security, therefore opening holes to the infrastructure.
Cognitive Bias and Dissonance are well known problems in security
engineering. NB's comments are a testament to the disconnect between
the creators of the system and the users of the system. (No offense to
NB).

See, for example, Peter Gutmann's Engineering Security
(www.cs.auckland.ac.nz/~pgut001/pubs/book.pdf‎) or Ross Anderson's
Security Engineering (http://www.cl.cam.ac.uk/~rja14/book.html).

Jeff


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault