lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sun, 11 Aug 2013 17:39:13 +0200
From: Reindl Harald <h.reindl@...lounge.net>
To: bugtraq@...urityfocus.com
Subject: Re: [Full-disclosure] Apache suEXEC privilege elevation / information
 disclosure



Am 11.08.2013 14:50, schrieb Ansgar Wiechers:
> On 2013-08-11 Reindl Harald wrote:
>> Am 10.08.2013 16:52, schrieb Tobias Kreidl:
>>> It is for this specific reason that utilities like suPHP can be used
>>> as a powerful tool to at least keep the account user from shooting
>>> anyone but him/herself in the foot because of any configuration or
>>> broken security issues. Allowing suexec to anyone but a seasoned,
>>> responsible admin is IMO a recipe for disaster.
>>
>> and what makes you believe that a developer can not be a "seasoned,
>> responsible admin"?
> 
> Most developers I have met would focus on getting new features to work
> rather than secure/reliable operation of the deployed software

maybe you met the wrong ones............

on the other hand most admins i met did not use "disallow_functions"
a responsilble developer which is at the same time admin has the
knowledge not using dangerous functions and disables them

one config line and the whole topic would be obsolete by not
allowing symlinks from web-applications

disable_functions  = "popen, pclose, exec, passthru, shell_exec, system, proc_open, proc_close, proc_nice,
proc_terminate, proc_get_status, pcntl_exec, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid,
posix_setsid, posix_setuid, mail, symlink, link, dl, get_current_user, getmypid, getmyuid, getrusage, pfsockopen,
socket_accept, socket_bind, openlog, syslog"

>> bullshit, many of the "seasoned, responsible admins" which are only
>> admins are unable to really understand the implications of whatever
>> config they rollout
> 
> Apparently you still haven't learned your lesson from being banned from
> the postfix-users mailing list

oh i forgot, in the enlish speaking world in have to write
"clould i ask you please could consider to think about...."


Download attachment "signature.asc" of type "application/pgp-signature" (264 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ