[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure

On 2013-08-11 Reindl Harald wrote:
> Am 10.08.2013 16:52, schrieb Tobias Kreidl:
>> It is for this specific reason that utilities like suPHP can be used
>> as a powerful tool to at least keep the account user from shooting
>> anyone but him/herself in the foot because of any configuration or
>> broken security issues. Allowing suexec to anyone but a seasoned,
>> responsible admin is IMO a recipe for disaster.
> and what makes you believe that a developer can not be a "seasoned,
> responsible admin"?

Most developers I have met would focus on getting new features to work
rather than secure/reliable operation of the deployed software.

> bullshit, many of the "seasoned, responsible admins" which are only
> admins are unable to really understand the implications of whatever
> config they rollout

Apparently you still haven't learned your lesson from being banned from
the postfix-users mailing list.

Ansgar Wiechers
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq