Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure

[Ansgar Wiechers <bugtraq () planetcobalt net>]

On 2013-08-11 Reindl Harald wrote:
> Am 10.08.2013 16:52, schrieb Tobias Kreidl:
> > It is for this specific reason that utilities like suPHP can be used
> > as a powerful tool to at least keep the account user from shooting
> > anyone but him/herself in the foot because of any configuration or
> > broken security issues. Allowing suexec to anyone but a seasoned,
> > responsible admin is IMO a recipe for disaster.
>
> and what makes you believe that a developer can not be a "seasoned,
> responsible admin"?

Most developers I have met would focus on getting new features to work
rather than secure/reliable operation of the deployed software.

> bullshit, many of the "seasoned, responsible admins" which are only
> admins are unable to really understand the implications of whatever
> config they rollout

Apparently you still haven't learned your lesson from being banned from
the postfix-users mailing list.

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq