Bugtraq mailing list archives
Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure
From: Reindl Harald <h.reindl () thelounge net>
Date: Sun, 11 Aug 2013 17:39:13 +0200
Am 11.08.2013 14:50, schrieb Ansgar Wiechers:
On 2013-08-11 Reindl Harald wrote:Am 10.08.2013 16:52, schrieb Tobias Kreidl:It is for this specific reason that utilities like suPHP can be used as a powerful tool to at least keep the account user from shooting anyone but him/herself in the foot because of any configuration or broken security issues. Allowing suexec to anyone but a seasoned, responsible admin is IMO a recipe for disaster.and what makes you believe that a developer can not be a "seasoned, responsible admin"?Most developers I have met would focus on getting new features to work rather than secure/reliable operation of the deployed software
maybe you met the wrong ones............ on the other hand most admins i met did not use "disallow_functions" a responsilble developer which is at the same time admin has the knowledge not using dangerous functions and disables them one config line and the whole topic would be obsolete by not allowing symlinks from web-applications disable_functions = "popen, pclose, exec, passthru, shell_exec, system, proc_open, proc_close, proc_nice, proc_terminate, proc_get_status, pcntl_exec, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, mail, symlink, link, dl, get_current_user, getmypid, getmyuid, getrusage, pfsockopen, socket_accept, socket_bind, openlog, syslog"
bullshit, many of the "seasoned, responsible admins" which are only admins are unable to really understand the implications of whatever config they rolloutApparently you still haven't learned your lesson from being banned from the postfix-users mailing list
oh i forgot, in the enlish speaking world in have to write "clould i ask you please could consider to think about...."
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- Re: Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Hv5hA5ms (Aug 08)
- <Possible follow-ups>
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Tobias Kreidl (Aug 11)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Reindl Harald (Aug 11)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Ansgar Wiechers (Aug 11)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Reindl Harald (Aug 11)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Stefan Kanthak (Aug 11)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Reindl Harald (Aug 12)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Stefan Kanthak (Aug 12)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Reindl Harald (Aug 12)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Coderaptor (Aug 12)
- RE: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Peter Gregory (Aug 12)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Reindl Harald (Aug 12)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure coderaptor (Aug 12)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Brandon M. Graves (Aug 12)
- Re: Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Marco Floris (Aug 13)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Reindl Harald (Aug 11)