| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 13 Aug 2013 09:55:14 +0200
From: Reindl Harald <h.reindl@...lounge.net>
To: coderaptor <coderaptor@...il.com>
CC: "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>
Subject: Re: [Full-disclosure] Apache suEXEC privilege elevation / information
disclosure
Am 13.08.2013 00:42, schrieb Brandon M. Graves:
> I hate to come late to the party, but following all of this, it is kind of
> ridiculous.
>
> I have to agree with those before in saying software should ship secure.
> in my environment whenever we are given a new bit to add to our
> infrastructure, be it a new server, new version of an OS, or new version
> of a software, either A) it comes to us from those at our distribution
> point pre templated to be unusable due to security, or B) we first make
> it unusable by configuring every possible security setting to be as tight
> as possible...
nobody said anything else
but "Apache suEXEC privilege elevation" is *not* a suEXEC
problem and that's the whole point - people in this thread
mixing a lot of different things partly with no clue
Am 13.08.2013 01:45, schrieb coderaptor:
> On Mon, Aug 12, 2013 at 4:06 PM, Reindl Harald <h.reindl@...lounge.net> wrote:
>>>> unlink('file_my_script_wrote'); is fine
>>>> unlink($_GET['what_ever_input']): is a security hole
>>>>
>>>> so do we now disable unlink();
>>>
>>> Why not?
>>
>> because it is plain stupid
>
> You think so. Not everyone shares your opinion.
you know the quote from "Dirty Harry" about opinions?
>> you even statet that you did not realize that others are talking
>> about PHP and you not knew the context of 'disable_functions'
>> and so stop trying to be a smartass in topics you are clueless
>
> Please no personal insults
truth != insult
>>> Go ahead and disable all 1330 functions if the need be, and let the
>>> Administrator figure out which ones he should carefully enable
>>
>> please stop making yourself *that* laughable
>
> I don't care.
i see
>>> Just for the sake of argument? Which sane framework provides 1330
>>> functions? Security is surely not black and white, but this argument
>>> should not justify poor design choices. Anyways, no matter what one
>>> does, using a framework with 1330 functions is poor security decision
>>
>> please be quite and come back after you understood the difference
>> between a programming language and a framework
>>
>> hint:
>>
>> * PHP: programming language
>> * Ruby: programming language
>>
>> * Zend Framework, Symfony: Framework
>> * Ruboy On Rails: Framework
>>
>
> Does it matter if I call at a framework, programming language, or
> dancing donkey? It doesn't change the reality
yes, if you talk on a professional level you need to know
the basics if you like to be taken serious
Download attachment "signature.asc" of type "application/pgp-signature" (264 bytes)
Powered by blists - more mailing lists