lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <520653C8.1010105@nau.edu> Date: Sat, 10 Aug 2013 07:52:56 -0700 From: Tobias Kreidl <tobias.kreidl@....edu> To: "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com> Subject: Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure It is for this specific reason that utilities like suPHP can be used as a powerful tool to at least keep the account user from shooting anyone but him/herself in the foot because of any configuration or broken security issues. Allowing suexec to anyone but a seasoned, responsible admin is IMO a recipe for disaster. --Tobias On 8/10/2013 7:25 AM, Reindl Harald wrote: > > Am 10.08.2013 12:10, schrieb Gichuki John Chuksjonia: >> One thing u gotta remember most of the Admins who handle webservers in >> a network are also developers since most of the organizations will >> always need to cut on expenses, and as we know, most of the developers >> will just look into finishing work and making it work. So if something >> doesn't run due to httpd.conf, you will find these guys loosening >> server security, therefore opening holes to the infrastructure. > i am one of the developers who are admin > > why? > > because maintaining servers where only internal developed > software gives you the power to make security as tighten > as possible - and yes security is *always* first > > not the admins which are developers are the problem > > crap like wordpress, joomla, phpBB is the problem because > these developers have no idea how to secure maintain a > server and try to develop software which can be installed > by any random fool on whatever webserver without understand > the implications > > thats's why these applications are *strictly* forbidden > on any machine i am responsible for, it's enough to write > abuse mails each time one of these installations outside > got hacked and is starting attacks on 3rd parties >
Powered by blists - more mailing lists