[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure
- From: Ansgar Wiechers <bugtraq@xxxxxxxxxxxxxxxx>
- Date: Sun, 11 Aug 2013 14:50:13 +0200
On 2013-08-11 Reindl Harald wrote:
> Am 10.08.2013 16:52, schrieb Tobias Kreidl:
>> It is for this specific reason that utilities like suPHP can be used
>> as a powerful tool to at least keep the account user from shooting
>> anyone but him/herself in the foot because of any configuration or
>> broken security issues. Allowing suexec to anyone but a seasoned,
>> responsible admin is IMO a recipe for disaster.
>
> and what makes you believe that a developer can not be a "seasoned,
> responsible admin"?
Most developers I have met would focus on getting new features to work
rather than secure/reliable operation of the deployed software.
> bullshit, many of the "seasoned, responsible admins" which are only
> admins are unable to really understand the implications of whatever
> config they rollout
Apparently you still haven't learned your lesson from being banned from
the postfix-users mailing list.
Regards
Ansgar Wiechers
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq