Bugtraq mailing list archives
Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure
From: James Birk <jamesbirk () gmail com>
Date: Tue, 13 Aug 2013 08:11:37 -0400
On Aug 13, 2013, at 3:55 AM, Reindl Harald <h.reindl () thelounge net> wrote:
Am 13.08.2013 00:42, schrieb Brandon M. Graves:I hate to come late to the party, but following all of this, it is kind of ridiculous. I have to agree with those before in saying software should ship secure. in my environment whenever we are given a new bit to add to our infrastructure, be it a new server, new version of an OS, or new version of a software, either A) it comes to us from those at our distribution point pre templated to be unusable due to security, or B) we first make it unusable by configuring every possible security setting to be as tight as possible...nobody said anything else but "Apache suEXEC privilege elevation" is *not* a suEXEC problem and that's the whole point - people in this thread mixing a lot of different things partly with no clue
Precisely. This entire thread is filled with people who not only do not know how Apache works, but how Bugtraq works either. That said, this issue is of course not a bug, but a feature-- a feature which if used, opens a mild to moderate vulnerability which can be corrected on the substrate in any number of ways. So y'all need to sit down. James.
Current thread:
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure, (continued)
- Message not available
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure George Machitidze (Aug 12)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Jeffrey Walton (Aug 12)
- Message not available
- Message not available
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Reindl Harald (Aug 13)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure coderaptor (Aug 13)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Reindl Harald (Aug 13)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure coderaptor (Aug 13)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Reindl Harald (Aug 13)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure terry white (Aug 13)
- Message not available
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Chris Meisinger (Aug 13)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Jorge Dorantes (Aug 13)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure James Birk (Aug 13)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Mike Ely (Aug 13)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Matthew Caron (Aug 13)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Stefan Kanthak (Aug 13)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Reindl Harald (Aug 13)