[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 8 Aug 2013 12:22:09 GMT
From: Hv5hA5ms@...cardmail.com
To: bugtraq@...urityfocus.com
Subject: Re: Re: [Full-disclosure] Apache suEXEC privilege elevation /
information disclosure
This is in no way an exploit.
Apache behaviour is as expected.
When an user has the ability to activate FollowSymlinks and to create symlinks - than this is the fault of the systems operator.
In no way has this anything to do with suEXEC.
suEXEC *does not* disallow read access via HTTP requests to files owned by www-data. Everybody should know that only the cgi/php/whatever scripts are run as configured the suexec uid/gid but apache serving static files are read via www-data user.
Creating a symlink named 'test99.php' only adds confusion but has nothing to do with the fact that there is no exploit.
Powered by blists - more mailing lists