lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <ADBCF74237211C429E5663A45CFE0ACA1AAA7077@mail03sea.tbahama.com>
Date: Mon, 12 Aug 2013 11:56:07 -0700
From: "Peter Gregory" <Peter.Gregory@...mybahama.com>
To: "Coderaptor" <coderaptor@...il.com>,
  "Reindl Harald" <h.reindl@...lounge.net>
Cc: "Stefan Kanthak" <stefan.kanthak@...go.de>,
  "Tobias Kreidl" <tobias.kreidl@....edu>, <bugtraq@...urityfocus.com>
Subject: RE: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure

+1

PETER H GREGORY, C|CISO, CISA, CISSP, CRISC, PCI-ISA | Data Security
Manager 
428 Westlake Avenue North, Suite 388 | Seattle, WA 98109
peter.gregory@...mybahama.com | Skype peterhgregory | D: 206.905.5773 F:
206.905.5675

MAKE LIFE one LONG WEEKEND(tm) | TOMMYBAHAMA.COM

-----Original Message-----
From: Coderaptor [mailto:coderaptor@...il.com] 
Sent: Monday, August 12, 2013 10:28 AM
To: Reindl Harald
Cc: Stefan Kanthak; Tobias Kreidl; bugtraq@...urityfocus.com
Subject: Re: [Full-disclosure] Apache suEXEC privilege elevation /
information disclosure

I have been a silent spectator to this drama, and could not resist
adding a few thoughts of my own:

1. All software, especially webservers, should ship with secure
defaults. Period. It is a fundamental mistake to assume all admins who
roll out web apps and maintain servers RTFM before rolling out. The key
idea here is "time to market", and there is huge amount of data to prove
this.

2. Apache clearly does not ship with secure defaults in favor of
convenience? disable_functions is a  example - do you expect an admin to
be a unix expert or know what each parameter in there means? Also
indicates this was added in reactively, and not accounted for in the
core design. Why not enable_functions instead, with everything disabled
to begin with? (Oh, that wouldn't help you achieve world dominance and
fast!)

3. Secure by design, implementation, and deployment isn't utopia, it's
very much an achievable target. But then it wouldn't feed bugtraq
anymore or the billion dollar industry called as "security industry"
would it?

Huge amount of software today is turd polishing, open source no
exception (though it is supposed to have better track record). The blame
lies squarely on everyone.

-coderaptor

--
sent via 100% recycled electrons from my mobile command center.

On Aug 11, 2013, at 3:30 PM, Reindl Harald <h.reindl@...lounge.net>
wrote:

> 
> 
> Am 11.08.2013 23:56, schrieb Stefan Kanthak:
>> "Reindl Harald" <h.reindl@...lounge.net> wrote:
>>> again:
>>> symlinks are to not poision always and everywhere they become where 
>>> untrusted customer code is running blame the admin which doe snot 
>>> know his job and not the language offering a lot of functions where 
>>> some can be misused
>> 
>> Again: symlinks are well-known as attack vector for years!
> 
> and that's why any admin which is not clueless disables the symlink 
> function - but there exists code which *is* secure, runs in a 
> crontrolled environment and make use of it for good reasons
> 
>> It's not the user/administrator who develops or ships insecure code!
> 
> but it's the administrator which has the wrong job if create symlinks 
> is possible from any random script running on his servers
> 
> anyways, i am done with this thread
> 
> the topic is *not* "Apache suEXEC privilege elevation" it is "admins 
> not secure their servers" - period
> 
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ