lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <5207B42F.4070102@nau.edu>
Date: Sun, 11 Aug 2013 08:56:31 -0700
From: Tobias Kreidl <tobias.kreidl@....edu>
To: <bugtraq@...urityfocus.com>
Subject: Re: [Full-disclosure] Apache suEXEC privilege elevation / information
 disclosure

Agreed.  Many sites limit users to at most SymLinksIfOwnerMatch for that 
very reason, not to mention limits on CGI privileges. AllowSymlinks, 
IMO, ought to be reserved for the sysadmin on the server and used 
sparingly. You can, of course, even require .htaccess configurations to 
be set in the server's configuration files instead of in the user 
account areas (in conjunction with the AllowOverride None setting).

--Tobias

On 8/11/2013 7:52 AM, Michal Zalewski wrote:
>> for doing this features in httpd.conf you can use AllowOverride None instead
>> of AllowOverride all
> AllowSymlinks is a red herring here (hardlinks should do, unless you
> have stuff partitioned in a very thoughtful way, which most don't),
> similarly to suexec.
>
> In general, sharing web hosting providers that allow shell access or
> scripting are pretty much boned in a myriad of ways.
>
> /mz

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ