Bugtraq mailing list archives
Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure
From: Reindl Harald <h.reindl () thelounge net>
Date: Tue, 13 Aug 2013 09:55:14 +0200
Am 13.08.2013 00:42, schrieb Brandon M. Graves:
I hate to come late to the party, but following all of this, it is kind of ridiculous. I have to agree with those before in saying software should ship secure. in my environment whenever we are given a new bit to add to our infrastructure, be it a new server, new version of an OS, or new version of a software, either A) it comes to us from those at our distribution point pre templated to be unusable due to security, or B) we first make it unusable by configuring every possible security setting to be as tight as possible...
nobody said anything else but "Apache suEXEC privilege elevation" is *not* a suEXEC problem and that's the whole point - people in this thread mixing a lot of different things partly with no clue Am 13.08.2013 01:45, schrieb coderaptor:
On Mon, Aug 12, 2013 at 4:06 PM, Reindl Harald <h.reindl () thelounge net> wrote:unlink('file_my_script_wrote'); is fine unlink($_GET['what_ever_input']): is a security hole so do we now disable unlink();Why not?because it is plain stupidYou think so. Not everyone shares your opinion.
you know the quote from "Dirty Harry" about opinions?
you even statet that you did not realize that others are talking about PHP and you not knew the context of 'disable_functions' and so stop trying to be a smartass in topics you are cluelessPlease no personal insults
truth != insult
Go ahead and disable all 1330 functions if the need be, and let the Administrator figure out which ones he should carefully enableplease stop making yourself *that* laughableI don't care.
i see
Just for the sake of argument? Which sane framework provides 1330 functions? Security is surely not black and white, but this argument should not justify poor design choices. Anyways, no matter what one does, using a framework with 1330 functions is poor security decisionplease be quite and come back after you understood the difference between a programming language and a framework hint: * PHP: programming language * Ruby: programming language * Zend Framework, Symfony: Framework * Ruboy On Rails: FrameworkDoes it matter if I call at a framework, programming language, or dancing donkey? It doesn't change the reality
yes, if you talk on a professional level you need to know the basics if you like to be taken serious
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure, (continued)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Reindl Harald (Aug 12)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure coderaptor (Aug 12)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Brandon M. Graves (Aug 12)
- Re: Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Marco Floris (Aug 13)
- Message not available
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure George Machitidze (Aug 12)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Jeffrey Walton (Aug 12)
- Message not available
- Message not available
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Reindl Harald (Aug 13)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure coderaptor (Aug 13)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Reindl Harald (Aug 13)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure coderaptor (Aug 13)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Reindl Harald (Aug 13)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure terry white (Aug 13)
- Message not available
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Chris Meisinger (Aug 13)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Jorge Dorantes (Aug 13)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure James Birk (Aug 13)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Mike Ely (Aug 13)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Matthew Caron (Aug 13)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Stefan Kanthak (Aug 13)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Reindl Harald (Aug 13)