Full Disclosure mailing list archives
Re: Apache suEXEC privilege elevation / information disclosure
From: Noel Butler <noel.butler () ausics net>
Date: Sat, 10 Aug 2013 12:22:37 +1000
On Fri, 2013-08-09 at 06:21 -0500, R. Whitney wrote:
I would concern myself more with the web hosting providers which utilize suExec. By escalating privileges even to just the level of the HTTPD would allow one to read/write to content outside of their web hosting account. I have personally been in situations where I have had to advise sys admins that suExec was properly setup & my web hosting account was capable of (in worst case scenario) shutting down the HTTPD itself, and in other situations capable of reading things like wordpress config files from other hosting accounts.
Then httpd was clearly not configured by someone who knew what they were doing - and majorly broke it somehow
Good work as always Kingcope. :)
oh dear .. I knew there was a reason why I rarely read this list unless something is off-list brought to my attention.
Attachment:
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Apache suEXEC privilege elevation / information disclosure, (continued)
- Message not available
- Re: Apache suEXEC privilege elevation / information disclosure king cope (Aug 07)
- Re: Apache suEXEC privilege elevation / information disclosure andfarm (Aug 07)
- Re: Apache suEXEC privilege elevation / information disclosure E R (Aug 08)
- Re: Apache suEXEC privilege elevation / information disclosure Michal Zalewski (Aug 11)
- Message not available
- Re: Apache suEXEC privilege elevation / information disclosure Noel Butler (Aug 09)
- Re: Apache suEXEC privilege elevation / information disclosure Kingcope (Aug 09)
- Re: Apache suEXEC privilege elevation / information disclosure Noel Butler (Aug 09)
- Re: Apache suEXEC privilege elevation / information disclosure R. Whitney (Aug 09)
- Re: Apache suEXEC privilege elevation / information disclosure mezgani ali (Aug 09)
- Re: Apache suEXEC privilege elevation / information disclosure Noel Butler (Aug 09)
- Re: Apache suEXEC privilege elevation / Dico Emil (Aug 09)
- Re: Apache suEXEC privilege elevation / information disclosure Kingcope (Aug 09)
- Re: Apache suEXEC privilege elevation / information disclosure Kingcope (Aug 09)
- Re: Apache suEXEC privilege elevation / information disclosure Gichuki John Chuksjonia (Aug 10)
- Re: Apache suEXEC privilege elevation / information disclosure Jeffrey Walton (Aug 10)
- Re: Apache suEXEC privilege elevation / information disclosure Reindl Harald (Aug 11)