Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure
From: Reindl Harald <h.reindl () thelounge net>
Date: Mon, 12 Aug 2013 00:30:25 +0200



Am 11.08.2013 23:56, schrieb Stefan Kanthak:
"Reindl Harald" <h.reindl () thelounge net> wrote:
again:
symlinks are to not poision always and everywhere
they become where untrusted customer code is running
blame the admin which doe snot know his job and not
the language offering a lot of functions where some
can be misused

Again: symlinks are well-known as attack vector for years!

and that's why any admin which is not clueless
disables the symlink function - but there exists
code which *is* secure, runs in a crontrolled
environment and make use of it for good reasons

It's not the user/administrator who develops or ships insecure code!

but it's the administrator which has the wrong job if
create symlinks is possible from any random script
running on his servers

anyways, i am done with this thread

the topic is *not* "Apache suEXEC privilege elevation" it
is "admins not secure their servers" - period


Attachment: signature.asc
Description: OpenPGP digital signature


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault