Home page logo

bugtraq logo Bugtraq mailing list archives

Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure
From: Ansgar Wiechers <bugtraq () planetcobalt net>
Date: Sun, 11 Aug 2013 14:50:13 +0200

On 2013-08-11 Reindl Harald wrote:
Am 10.08.2013 16:52, schrieb Tobias Kreidl:
It is for this specific reason that utilities like suPHP can be used
as a powerful tool to at least keep the account user from shooting
anyone but him/herself in the foot because of any configuration or
broken security issues. Allowing suexec to anyone but a seasoned,
responsible admin is IMO a recipe for disaster.

and what makes you believe that a developer can not be a "seasoned,
responsible admin"?

Most developers I have met would focus on getting new features to work
rather than secure/reliable operation of the deployed software.

bullshit, many of the "seasoned, responsible admins" which are only
admins are unable to really understand the implications of whatever
config they rollout

Apparently you still haven't learned your lesson from being banned from
the postfix-users mailing list.

Ansgar Wiechers
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]