| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20130811125013.GA14418@mail.planetcobalt.net> Date: Sun, 11 Aug 2013 14:50:13 +0200 From: Ansgar Wiechers <bugtraq@...netcobalt.net> To: bugtraq@...urityfocus.com Subject: Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure On 2013-08-11 Reindl Harald wrote: > Am 10.08.2013 16:52, schrieb Tobias Kreidl: >> It is for this specific reason that utilities like suPHP can be used >> as a powerful tool to at least keep the account user from shooting >> anyone but him/herself in the foot because of any configuration or >> broken security issues. Allowing suexec to anyone but a seasoned, >> responsible admin is IMO a recipe for disaster. > > and what makes you believe that a developer can not be a "seasoned, > responsible admin"? Most developers I have met would focus on getting new features to work rather than secure/reliable operation of the deployed software. > bullshit, many of the "seasoned, responsible admins" which are only > admins are unable to really understand the implications of whatever > config they rollout Apparently you still haven't learned your lesson from being banned from the postfix-users mailing list. Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq
Powered by blists - more mailing lists