BugTraq
Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Aug 12 2013 11:45PM
coderaptor (coderaptor gmail com) (2 replies)
Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Aug 13 2013 12:29PM
Matthew Caron (Matt Caron redlion net)
Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Aug 13 2013 07:55AM
Reindl Harald (h reindl thelounge net) (3 replies)
Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Aug 13 2013 12:11PM
James Birk (jamesbirk gmail com)

On Aug 13, 2013, at 3:55 AM, Reindl Harald <h.reindl (at) thelounge (dot) net [email concealed]> wrote:

> Am 13.08.2013 00:42, schrieb Brandon M. Graves:
>> I hate to come late to the party, but following all of this, it is kind of
>> ridiculous.
>>
>> I have to agree with those before in saying software should ship secure.
>> in my environment whenever we are given a new bit to add to our
>> infrastructure, be it a new server, new version of an OS, or new version
>> of a software, either A) it comes to us from those at our distribution
>> point pre templated to be unusable due to security, or B) we first make
>> it unusable by configuring every possible security setting to be as tight
>> as possible...
>
> nobody said anything else
>
> but "Apache suEXEC privilege elevation" is *not* a suEXEC
> problem and that's the whole point - people in this thread
> mixing a lot of different things partly with no clue

Precisely. This entire thread is filled with people who not only do not know how Apache works, but how Bugtraq works either. That said, this issue is of course not a bug, but a feature-- a feature which if used, opens a mild to moderate vulnerability which can be corrected on the substrate in any number of ways.

So y'all need to sit down.

James.

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus