[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure

Am 11.08.2013 23:56, schrieb Stefan Kanthak:
> "Reindl Harald" <h.reindl@xxxxxxxxxxxxx> wrote:
>> again:
>> symlinks are to not poision always and everywhere
>> they become where untrusted customer code is running
>> blame the admin which doe snot know his job and not
>> the language offering a lot of functions where some
>> can be misused
> Again: symlinks are well-known as attack vector for years!

and that's why any admin which is not clueless
disables the symlink function - but there exists
code which *is* secure, runs in a crontrolled
environment and make use of it for good reasons

> It's not the user/administrator who develops or ships insecure code!

but it's the administrator which has the wrong job if
create symlinks is possible from any random script
running on his servers

anyways, i am done with this thread

the topic is *not* "Apache suEXEC privilege elevation" it
is "admins not secure their servers" - period

Attachment: signature.asc
Description: OpenPGP digital signature