Bugtraq mailing list archives
Re: Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure
From: Hv5hA5ms () discardmail com
Date: Thu, 8 Aug 2013 12:22:09 GMT
This is in no way an exploit. Apache behaviour is as expected. When an user has the ability to activate FollowSymlinks and to create symlinks - than this is the fault of the systems operator. In no way has this anything to do with suEXEC. suEXEC *does not* disallow read access via HTTP requests to files owned by www-data. Everybody should know that only the cgi/php/whatever scripts are run as configured the suexec uid/gid but apache serving static files are read via www-data user. Creating a symlink named 'test99.php' only adds confusion but has nothing to do with the fact that there is no exploit.
Current thread:
- Re: Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Hv5hA5ms (Aug 08)
- <Possible follow-ups>
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Tobias Kreidl (Aug 11)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Reindl Harald (Aug 11)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Ansgar Wiechers (Aug 11)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Reindl Harald (Aug 11)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Stefan Kanthak (Aug 11)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Reindl Harald (Aug 12)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Stefan Kanthak (Aug 12)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Reindl Harald (Aug 12)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Coderaptor (Aug 12)
- RE: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Peter Gregory (Aug 12)
- Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure Reindl Harald (Aug 11)