Home page logo

bugtraq logo Bugtraq mailing list archives

Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure
From: "Stefan Kanthak" <stefan.kanthak () nexgo de>
Date: Sun, 11 Aug 2013 22:15:31 +0200

"Reindl Harald" <h.reindl () thelounge net> wrote:

Am 10.08.2013 16:52, schrieb Tobias Kreidl:
It is for this specific reason that utilities like suPHP can be used as a powerful tool to at least keep the
account user from shooting anyone but him/herself in the foot because of any configuration or broken security
issues. Allowing suexec to anyone but a seasoned, responsible admin is IMO a recipe for disaster.

and what makes you believe that a developer can not be a "seasoned, responsible admin"?

Because developers write functions like "system", "symlink" and "suexec"
which can create havoc (and are WELL-KNOWN for creating havoc since
years) and allow everybody to call them in the default configuration of
their software.

bullshit, many of the "seasoned, responsible admins" which are only
admins are unable to really understand the implications of whatever
config they rollout

It was the developer who created and published this vulnerable software
or the vulnerable default configuration in the first place.

If a user/administrator who installs software has to turn insecure
features OFF its the developer who is to blame, and of course the
testers, the QA and the management too.

Stefan Kanthak

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]