| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 11 Aug 2013 22:15:31 +0200 From: "Stefan Kanthak" <stefan.kanthak@...go.de> To: "Reindl Harald" <h.reindl@...lounge.net>, "Tobias Kreidl" <tobias.kreidl@....edu> Cc: <bugtraq@...urityfocus.com> Subject: Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure "Reindl Harald" <h.reindl@...lounge.net> wrote: > Am 10.08.2013 16:52, schrieb Tobias Kreidl: >> It is for this specific reason that utilities like suPHP can be used as a powerful tool to at least keep the >> account user from shooting anyone but him/herself in the foot because of any configuration or broken security >> issues. Allowing suexec to anyone but a seasoned, responsible admin is IMO a recipe for disaster. > > and what makes you believe that a developer can not be a "seasoned, responsible admin"? Because developers write functions like "system", "symlink" and "suexec" which can create havoc (and are WELL-KNOWN for creating havoc since years) and allow everybody to call them in the default configuration of their software. > bullshit, many of the "seasoned, responsible admins" which are only > admins are unable to really understand the implications of whatever > config they rollout It was the developer who created and published this vulnerable software or the vulnerable default configuration in the first place. If a user/administrator who installs software has to turn insecure features OFF its the developer who is to blame, and of course the testers, the QA and the management too. Stefan Kanthak
Powered by blists - more mailing lists