[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure



Am 13.08.2013 00:51, schrieb coderaptor:
> On Mon, Aug 12, 2013 at 2:45 PM, Reindl Harald <h.reindl@xxxxxxxxxxxxx> wrote:
>>> ALL software MUST come with SECURE DEFAULTS. PERIOD. Anyone who thinks otherwise should fly in an aircraft running
>>> his own designed software. Knowledgeable Admins are not an alternative to secure defaults, rather I'd prefer both.
>>
>> *define what is secure* and make sure you define it by context
>>
>> unlink('file_my_script_wrote'); is fine
>> unlink($_GET['what_ever_input']): is a security hole
>>
>> so do we now disable unlink();
> 
> Why not?

because it is plain stupid

you even statet that you did not realize that others are talking
about PHP and you not knew the context of 'disable_functions'
and so stop trying to be a smartass in topics you are clueless

>> hey in this case you need also to disable fopen(), file_put_contents()
>> and whatever function can open and overwrite a file - now you could
>> come and argue "but the permissions should not allow" - well, your
>> config should also not allow any random script to create symlinks
>>
>> on a internal application which is not accesable from the web
>> symlink() is harmless and may be used for good reasons
>>
>> so you should realize that security is not black and white
> 
> Go ahead and disable all 1330 functions if the need be, and let the
> Administrator figure out which ones he should carefully enable

please stop making yourself *that* laughable

>> if you nned 100% secure defaults do not allow CGI and script interpreters
>> and go back to static sites because you have to realize that *any*
>> scripting lanuguage is a security risk per definition - period
> 
> Just for the sake of argument? Which sane framework provides 1330
> functions? Security is surely not black and white, but this argument
> should not justify poor design choices. Anyways, no matter what one
> does, using a framework with 1330 functions is poor security decision

please be quite and come back after you understood the difference
between a programming language and a framework

hint:

* PHP:                     programming language
* Ruby:                    programming language

* Zend Framework, Symfony: Framework
* Ruboy On Rails:          Framework

Attachment: signature.asc
Description: OpenPGP digital signature