Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure

From: Reindl Harald <h.reindl () thelounge net>
Date: Tue, 13 Aug 2013 01:06:07 +0200

Am 13.08.2013 00:51, schrieb coderaptor:

On Mon, Aug 12, 2013 at 2:45 PM, Reindl Harald <h.reindl () thelounge net> wrote:

ALL software MUST come with SECURE DEFAULTS. PERIOD. Anyone who thinks otherwise should fly in an aircraft running
his own designed software. Knowledgeable Admins are not an alternative to secure defaults, rather I'd prefer both.


*define what is secure* and make sure you define it by context

unlink('file_my_script_wrote'); is fine
unlink($_GET['what_ever_input']): is a security hole

so do we now disable unlink();


Why not?


because it is plain stupid

you even statet that you did not realize that others are talking
about PHP and you not knew the context of 'disable_functions'
and so stop trying to be a smartass in topics you are clueless


hey in this case you need also to disable fopen(), file_put_contents()
and whatever function can open and overwrite a file - now you could
come and argue "but the permissions should not allow" - well, your
config should also not allow any random script to create symlinks

on a internal application which is not accesable from the web
symlink() is harmless and may be used for good reasons

so you should realize that security is not black and white


Go ahead and disable all 1330 functions if the need be, and let the
Administrator figure out which ones he should carefully enable


please stop making yourself *that* laughable


if you nned 100% secure defaults do not allow CGI and script interpreters
and go back to static sites because you have to realize that *any*
scripting lanuguage is a security risk per definition - period


Just for the sake of argument? Which sane framework provides 1330
functions? Security is surely not black and white, but this argument
should not justify poor design choices. Anyways, no matter what one
does, using a framework with 1330 functions is poor security decision


please be quite and come back after you understood the difference
between a programming language and a framework

hint:

* PHP:                     programming language
* Ruby:                    programming language

* Zend Framework, Symfony: Framework
* Ruboy On Rails:          Framework

Attachment: signature.asc
Description: OpenPGP digital signature

Previous By Date Next
Previous By Thread Next

Current thread: