Bugtraq mailing list archives
Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure
From: Reindl Harald <h.reindl () thelounge net>
Date: Mon, 12 Aug 2013 00:30:25 +0200
Am 11.08.2013 23:56, schrieb Stefan Kanthak:
"Reindl Harald" <h.reindl () thelounge net> wrote:again: symlinks are to not poision always and everywhere they become where untrusted customer code is running blame the admin which doe snot know his job and not the language offering a lot of functions where some can be misusedAgain: symlinks are well-known as attack vector for years!
and that's why any admin which is not clueless disables the symlink function - but there exists code which *is* secure, runs in a crontrolled environment and make use of it for good reasons
It's not the user/administrator who develops or ships insecure code!
but it's the administrator which has the wrong job if create symlinks is possible from any random script running on his servers anyways, i am done with this thread the topic is *not* "Apache suEXEC privilege elevation" it is "admins not secure their servers" - period
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- Re: Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Hv5hA5ms (Aug 08)
- <Possible follow-ups>
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Tobias Kreidl (Aug 11)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Reindl Harald (Aug 11)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Ansgar Wiechers (Aug 11)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Reindl Harald (Aug 11)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Stefan Kanthak (Aug 11)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Reindl Harald (Aug 12)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Stefan Kanthak (Aug 12)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Reindl Harald (Aug 12)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Coderaptor (Aug 12)
- RE: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Peter Gregory (Aug 12)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Reindl Harald (Aug 12)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure coderaptor (Aug 12)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Brandon M. Graves (Aug 12)
- Re: Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Marco Floris (Aug 13)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Reindl Harald (Aug 11)
- Message not available
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure George Machitidze (Aug 12)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Jeffrey Walton (Aug 12)
- Message not available
- Message not available
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Reindl Harald (Aug 13)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure coderaptor (Aug 13)