Bugtraq mailing list archives
Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure
From: Jeffrey Walton <noloader () gmail com>
Date: Sat, 10 Aug 2013 06:49:58 -0400
On Sat, Aug 10, 2013 at 6:10 AM, Gichuki John Chuksjonia <chuksjonia () gmail com> wrote:
One thing u gotta remember most of the Admins who handle webservers in a network are also developers since most of the organizations will always need to cut on expenses, and as we know, most of the developers will just look into finishing work and making it work. So if something doesn't run due to httpd.conf, you will find these guys loosening server security, therefore opening holes to the infrastructure.
Cognitive Bias and Dissonance are well known problems in security engineering. NB's comments are a testament to the disconnect between the creators of the system and the users of the system. (No offense to NB). See, for example, Peter Gutmann's Engineering Security (www.cs.auckland.ac.nz/~pgut001/pubs/book.pdf) or Ross Anderson's Security Engineering (http://www.cl.cam.ac.uk/~rja14/book.html). Jeff
Current thread:
- Apache suEXEC privilege elevation / information disclosure king cope (Aug 07)
- Message not available
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure king cope (Aug 07)
- Message not available
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Michal Zalewski (Aug 11)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Tobias Kreidl (Aug 11)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure king cope (Aug 07)
- Message not available
- Re: Apache suEXEC privilege elevation / information disclosure Kingcope (Aug 09)
- RE: [Full-disclosure] Apache suEXEC privilege elevation / Dico Emil (Aug 09)
- Message not available
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Gichuki John Chuksjonia (Aug 10)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Jeffrey Walton (Aug 10)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Reindl Harald (Aug 10)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure terry white (Aug 11)