BugTraq
Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Aug 10 2013 10:10AM
Gichuki John Chuksjonia (chuksjonia gmail com) (3 replies)
Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Aug 10 2013 02:25PM
Reindl Harald (h reindl thelounge net)
Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Aug 10 2013 10:49AM
Jeffrey Walton (noloader gmail com)
On Sat, Aug 10, 2013 at 6:10 AM, Gichuki John Chuksjonia
<chuksjonia (at) gmail (dot) com [email concealed]> wrote:
> One thing u gotta remember most of the Admins who handle webservers in
> a network are also developers since most of the organizations will
> always need to cut on expenses, and as we know, most of the developers
> will just look into finishing work and making it work. So if something
> doesn't run due to httpd.conf, you will find these guys loosening
> server security, therefore opening holes to the infrastructure.
Cognitive Bias and Dissonance are well known problems in security
engineering. NB's comments are a testament to the disconnect between
the creators of the system and the users of the system. (No offense to
NB).

See, for example, Peter Gutmann's Engineering Security
(www.cs.auckland.ac.nz/~pgut001/pubs/book.pdfâ??) or Ross Anderson's
Security Engineering (http://www.cl.cam.ac.uk/~rja14/book.html).

Jeff

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus