[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure

To: king cope <isowarez.isowarez.isowarez@xxxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure
From: andfarm <andfarm@xxxxxxxxx>
Date: Wed, 7 Aug 2013 12:24:11 -0700

On 2013-08-07, at 09:08, king cope <isowarez.isowarez.isowarez@xxxxxxxxxxxxxx> 
wrote:
> SymLinksIfOwnerMatch will not help in this attack scenario because the
> .htaccess file overwrites this Options directive

AllowOverride can be used to prevent this as well by specifying a set of values 
for Options which does not include FollowSymlinks, e.g.

    AllowOverride AuthConfig FileInfo Indexes Limit 
Options=ExecCGI,Includes,Indexes,MultiViews,SymlinksIfOwnerMatch

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] Apache suEXEC privilege elevation / information disclosure
  - From: king cope
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure
  - From: king cope

Prev by Date: [Full-disclosure] [Security-news] SA-CONTRIB-2013-065 - Organic Groups - Access Bypass
Next by Date: [Full-disclosure] [Security-news] SA-CONTRIB-2013-066 - Monster Menus - Multiple Vulnerabilities
Previous by thread: Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure
Next by thread: Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure
Index(es):
- Date
- Thread