Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure

[Reindl Harald <h.reindl () thelounge net>]

Am 13.08.2013 00:42, schrieb Brandon M. Graves:
> I hate to come late to the party, but following all of this, it is kind of
> ridiculous.
>
>  I have to agree with those before in saying software should ship secure.
> in my environment whenever we are given a new bit to add to our
> infrastructure, be it a new server, new version of an OS, or new version
> of a software, either A) it comes to us from those at our distribution
> point pre templated to be unusable due to security, or B) we first make
> it unusable by configuring every possible security setting to be as tight
> as possible...

nobody said anything else

but "Apache suEXEC privilege elevation" is *not* a suEXEC
problem and that's the whole point - people in this thread
mixing a lot of different things partly with no clue

Am 13.08.2013 01:45, schrieb coderaptor:
> On Mon, Aug 12, 2013 at 4:06 PM, Reindl Harald <h.reindl () thelounge net> wrote:
> > > > unlink('file_my_script_wrote'); is fine
> > > > unlink($_GET['what_ever_input']): is a security hole
> > > >
> > > > so do we now disable unlink();
> > >
> > > Why not?
> >
> > because it is plain stupid
>
> You think so. Not everyone shares your opinion.

you know the quote from "Dirty Harry" about opinions?

> > you even statet that you did not realize that others are talking
> > about PHP and you not knew the context of 'disable_functions'
> > and so stop trying to be a smartass in topics you are clueless
>
> Please no personal insults

truth != insult

> > > Go ahead and disable all 1330 functions if the need be, and let the
> > > Administrator figure out which ones he should carefully enable
> >
> > please stop making yourself *that* laughable
>
> I don't care.

i see

> > > Just for the sake of argument? Which sane framework provides 1330
> > > functions? Security is surely not black and white, but this argument
> > > should not justify poor design choices. Anyways, no matter what one
> > > does, using a framework with 1330 functions is poor security decision
> >
> > please be quite and come back after you understood the difference
> > between a programming language and a framework
> >
> > hint:
> >
> > * PHP:                     programming language
> > * Ruby:                    programming language
> >
> > * Zend Framework, Symfony: Framework
> > * Ruboy On Rails:          Framework
>
> Does it matter if I call at a framework, programming language, or
> dancing donkey? It doesn't change the reality

yes, if you talk on a professional level you need to know
the basics if you like to be taken serious

Attachment: signature.asc
Description: OpenPGP digital signature