BugTraq
Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Aug 10 2013 02:52PM
Tobias Kreidl (tobias kreidl nau edu) (1 replies)
Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Aug 11 2013 10:44AM
Reindl Harald (h reindl thelounge net) (2 replies)
Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Aug 11 2013 08:15PM
Stefan Kanthak (stefan kanthak nexgo de) (1 replies)
Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Aug 11 2013 08:53PM
Reindl Harald (h reindl thelounge net) (1 replies)
Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Aug 11 2013 09:56PM
Stefan Kanthak (stefan kanthak nexgo de) (1 replies)
Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Aug 11 2013 10:30PM
Reindl Harald (h reindl thelounge net) (1 replies)
Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Aug 12 2013 05:28PM
Coderaptor (coderaptor gmail com) (3 replies)
Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Aug 12 2013 07:03PM
Jeffrey Walton (noloader gmail com)
On Mon, Aug 12, 2013 at 1:28 PM, Coderaptor <coderaptor (at) gmail (dot) com [email concealed]> wrote:
> I have been a silent spectator to this drama, and could not resist adding a few thoughts of my own:
>
> 1. All software, especially webservers, should ship with secure defaults. Period. It is a fundamental mistake to assume all admins who roll out web apps and maintain servers RTFM before rolling out. The key idea here is "time to market", and there is huge amount of data to prove this.
>
+1. All software should be shipped "secure out of the box". Its
amazing so many folks keep making the same mistakes from the 1980s and
1990s.

> ...
> Huge amount of software today is turd polishing, open source no exception (though it is supposed to have better track record). The blame lies squarely on everyone.
>
The "more eyes the better" theory is hogwash. I cringe when I hear
anyone discussing the security of crowd sourcing. There's two problems
with their arguments: first is Cognitive Biases, and second is the
Bystander Effect. The biases are being demonstrated by NB and RH, and
its results are typical (no offense NB and RH). The Bystander Effect
ensures that the more people see a bug, the less likely they are going
to do anything about it because they believe someone else has already
done something.

They are well known problems in Security Engineering. See Peter
Gutmann's Engineering Security
(www.cs.auckland.ac.nz/~pgut001/pubs/book.pdfâ??) or Ross Anderson's
Security Engineering (http://www.cl.cam.ac.uk/~rja14/book.html).

Jeff

> On Aug 11, 2013, at 3:30 PM, Reindl Harald <h.reindl (at) thelounge (dot) net [email concealed]> wrote:
>
>> Am 11.08.2013 23:56, schrieb Stefan Kanthak:
>>> "Reindl Harald" <h.reindl (at) thelounge (dot) net [email concealed]> wrote:
>>>> again:
>>>> symlinks are to not poision always and everywhere
>>>> they become where untrusted customer code is running
>>>> blame the admin which doe snot know his job and not
>>>> the language offering a lot of functions where some
>>>> can be misused
>>>
>>> Again: symlinks are well-known as attack vector for years!
>>
>> and that's why any admin which is not clueless
>> disables the symlink function - but there exists
>> code which *is* secure, runs in a crontrolled
>> environment and make use of it for good reasons
>>
>>> It's not the user/administrator who develops or ships insecure code!
>>
>> but it's the administrator which has the wrong job if
>> create symlinks is possible from any random script
>> running on his servers
>>
>> anyways, i am done with this thread
>>
>> the topic is *not* "Apache suEXEC privilege elevation" it
>> is "admins not secure their servers" - period
>>
>>

[ reply ]
RE: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Aug 12 2013 06:56PM
Peter Gregory (Peter Gregory tommybahama com)
Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Aug 12 2013 06:11PM
Reindl Harald (h reindl thelounge net) (3 replies)
Re: Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Aug 13 2013 10:26AM
Marco Floris (marco floris jaimeria org)
Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Aug 12 2013 10:42PM
Brandon M. Graves (bgraves slicer-net com)
Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Aug 12 2013 09:39PM
coderaptor (coderaptor gmail com)
Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Aug 11 2013 12:50PM
Ansgar Wiechers (bugtraq planetcobalt net) (1 replies)
Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Aug 11 2013 03:39PM
Reindl Harald (h reindl thelounge net)


 

Privacy Statement
Copyright 2010, SecurityFocus