BugTraq
Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Aug 10 2013 02:52PM
Tobias Kreidl (tobias kreidl nau edu) (1 replies)
Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Aug 11 2013 10:44AM
Reindl Harald (h reindl thelounge net) (2 replies)
Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Aug 11 2013 08:15PM
Stefan Kanthak (stefan kanthak nexgo de) (1 replies)
Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Aug 11 2013 08:53PM
Reindl Harald (h reindl thelounge net) (1 replies)
Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Aug 11 2013 09:56PM
Stefan Kanthak (stefan kanthak nexgo de) (1 replies)
Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Aug 11 2013 10:30PM
Reindl Harald (h reindl thelounge net) (1 replies)
Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Aug 12 2013 05:28PM
Coderaptor (coderaptor gmail com) (3 replies)
Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Aug 12 2013 07:03PM
Jeffrey Walton (noloader gmail com)
RE: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Aug 12 2013 06:56PM
Peter Gregory (Peter Gregory tommybahama com)
Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Aug 12 2013 06:11PM
Reindl Harald (h reindl thelounge net) (3 replies)
Re: Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Aug 13 2013 10:26AM
Marco Floris (marco floris jaimeria org)
Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Aug 12 2013 10:42PM
Brandon M. Graves (bgraves slicer-net com)
Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Aug 12 2013 09:39PM
coderaptor (coderaptor gmail com)
Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Aug 11 2013 12:50PM
Ansgar Wiechers (bugtraq planetcobalt net) (1 replies)
Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Aug 11 2013 03:39PM
Reindl Harald (h reindl thelounge net)


Am 11.08.2013 14:50, schrieb Ansgar Wiechers:
> On 2013-08-11 Reindl Harald wrote:
>> Am 10.08.2013 16:52, schrieb Tobias Kreidl:
>>> It is for this specific reason that utilities like suPHP can be used
>>> as a powerful tool to at least keep the account user from shooting
>>> anyone but him/herself in the foot because of any configuration or
>>> broken security issues. Allowing suexec to anyone but a seasoned,
>>> responsible admin is IMO a recipe for disaster.
>>
>> and what makes you believe that a developer can not be a "seasoned,
>> responsible admin"?
>
> Most developers I have met would focus on getting new features to work
> rather than secure/reliable operation of the deployed software

maybe you met the wrong ones............

on the other hand most admins i met did not use "disallow_functions"
a responsilble developer which is at the same time admin has the
knowledge not using dangerous functions and disables them

one config line and the whole topic would be obsolete by not
allowing symlinks from web-applications

disable_functions = "popen, pclose, exec, passthru, shell_exec, system, proc_open, proc_close, proc_nice,
proc_terminate, proc_get_status, pcntl_exec, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid,
posix_setsid, posix_setuid, mail, symlink, link, dl, get_current_user, getmypid, getmyuid, getrusage, pfsockopen,
socket_accept, socket_bind, openlog, syslog"

>> bullshit, many of the "seasoned, responsible admins" which are only
>> admins are unable to really understand the implications of whatever
>> config they rollout
>
> Apparently you still haven't learned your lesson from being banned from
> the postfix-users mailing list

oh i forgot, in the enlish speaking world in have to write
"clould i ask you please could consider to think about...."

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlIHsCEACgkQhmBjz394AnkLbwCeIVkj1777vyVFhVVZZoJGVjTe
gagAoJTH8tWDWKMOOV40l+fpWDodzZuR
=FZCN
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus