Bugtraq mailing list archives
Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure
From: Reindl Harald <h.reindl () thelounge net>
Date: Sun, 11 Aug 2013 12:44:34 +0200
Am 10.08.2013 16:52, schrieb Tobias Kreidl:
It is for this specific reason that utilities like suPHP can be used as a powerful tool to at least keep the account user from shooting anyone but him/herself in the foot because of any configuration or broken security issues. Allowing suexec to anyone but a seasoned, responsible admin is IMO a recipe for disaster.
and what makes you believe that a developer can not be a "seasoned, responsible admin"? bullshit, many of the "seasoned, responsible admins" which are only admins are unable to really understand the implications of whatever config they rollout
On 8/10/2013 7:25 AM, Reindl Harald wrote:Am 10.08.2013 12:10, schrieb Gichuki John Chuksjonia:One thing u gotta remember most of the Admins who handle webservers in a network are also developers since most of the organizations will always need to cut on expenses, and as we know, most of the developers will just look into finishing work and making it work. So if something doesn't run due to httpd.conf, you will find these guys loosening server security, therefore opening holes to the infrastructure.i am one of the developers who are admin why? because maintaining servers where only internal developed software gives you the power to make security as tighten as possible - and yes security is *always* first not the admins which are developers are the problem crap like wordpress, joomla, phpBB is the problem because these developers have no idea how to secure maintain a server and try to develop software which can be installed by any random fool on whatever webserver without understand the implications thats's why these applications are *strictly* forbidden on any machine i am responsible for, it's enough to write abuse mails each time one of these installations outside got hacked and is starting attacks on 3rd parties
-- Reindl Harald the lounge interactive design GmbH A-1060 Vienna, Hofmühlgasse 17 CTO / CISO / Software-Development m: +43 (676) 40 221 40, p: +43 (1) 595 3999 33 icq: 154546673, http://www.thelounge.net/ http://www.thelounge.net/signature.asc.what.htm
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- Re: Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Hv5hA5ms (Aug 08)
- <Possible follow-ups>
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Tobias Kreidl (Aug 11)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Reindl Harald (Aug 11)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Ansgar Wiechers (Aug 11)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Reindl Harald (Aug 11)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Stefan Kanthak (Aug 11)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Reindl Harald (Aug 12)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Stefan Kanthak (Aug 12)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Reindl Harald (Aug 12)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Coderaptor (Aug 12)
- RE: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Peter Gregory (Aug 12)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Reindl Harald (Aug 12)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure coderaptor (Aug 12)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Reindl Harald (Aug 11)