Home page logo

bugtraq logo Bugtraq mailing list archives

Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure
From: Tobias Kreidl <tobias.kreidl () nau edu>
Date: Sun, 11 Aug 2013 08:56:31 -0700

Agreed. Many sites limit users to at most SymLinksIfOwnerMatch for that very reason, not to mention limits on CGI privileges. AllowSymlinks, IMO, ought to be reserved for the sysadmin on the server and used sparingly. You can, of course, even require .htaccess configurations to be set in the server's configuration files instead of in the user account areas (in conjunction with the AllowOverride None setting).


On 8/11/2013 7:52 AM, Michal Zalewski wrote:
for doing this features in httpd.conf you can use AllowOverride None instead
of AllowOverride all
AllowSymlinks is a red herring here (hardlinks should do, unless you
have stuff partitioned in a very thoughtful way, which most don't),
similarly to suexec.

In general, sharing web hosting providers that allow shell access or
scripting are pretty much boned in a myriad of ways.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]