lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 10 Aug 2013 12:22:37 +1000
From: Noel Butler <>
Subject: Re: Apache suEXEC privilege elevation /
 information disclosure

On Fri, 2013-08-09 at 06:21 -0500, R. Whitney wrote:

> I would concern myself more with the web hosting providers which
> utilize suExec. By escalating privileges even to just the level of the
> HTTPD would allow one to read/write to content outside of their web
> hosting account.
> I have personally been in situations where I have had to advise sys
> admins that suExec was properly setup & my web hosting account was
> capable of (in worst case scenario) shutting down the HTTPD itself,
> and in other situations capable of reading things like wordpress
> config files from other hosting accounts.

Then httpd was clearly not configured by someone who knew what they were
doing - and majorly broke it somehow

> Good work as always Kingcope. :)

oh dear .. I knew there was a reason why I rarely read this list unless
something is off-list brought to my attention.

Content of type "text/html" skipped

Download attachment "signature.asc" of type "application/pgp-signature" (491 bytes)

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Powered by blists - more mailing lists