|
Full Disclosure
mailing list archives
Re: Apache suEXEC privilege elevation / information disclosure
From: Jeffrey Walton <noloader () gmail com>
Date: Sat, 10 Aug 2013 06:49:58 -0400
On Sat, Aug 10, 2013 at 6:10 AM, Gichuki John Chuksjonia
<chuksjonia () gmail com> wrote:
One thing u gotta remember most of the Admins who handle webservers in
a network are also developers since most of the organizations will
always need to cut on expenses, and as we know, most of the developers
will just look into finishing work and making it work. So if something
doesn't run due to httpd.conf, you will find these guys loosening
server security, therefore opening holes to the infrastructure.
Cognitive Bias and Dissonance are well known problems in security
engineering. NB's comments are a testament to the disconnect between
the creators of the system and the users of the system. (No offense to
NB).
See, for example, Peter Gutmann's Engineering Security
(www.cs.auckland.ac.nz/~pgut001/pubs/book.pdf) or Ross Anderson's
Security Engineering (http://www.cl.cam.ac.uk/~rja14/book.html).
Jeff
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
 By Date 
By Thread
Current thread:
- Re: Apache suEXEC privilege elevation / information disclosure, (continued)
Re: Apache suEXEC privilege elevation / information disclosure Reindl Harald (Aug 09)
|
