[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1376101357.5481.2.camel@tardis>
Date: Sat, 10 Aug 2013 12:22:37 +1000
From: Noel Butler <noel.butler@...ics.net>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Apache suEXEC privilege elevation /
information disclosure
On Fri, 2013-08-09 at 06:21 -0500, R. Whitney wrote:
> I would concern myself more with the web hosting providers which
> utilize suExec. By escalating privileges even to just the level of the
> HTTPD would allow one to read/write to content outside of their web
> hosting account.
> I have personally been in situations where I have had to advise sys
> admins that suExec was properly setup & my web hosting account was
> capable of (in worst case scenario) shutting down the HTTPD itself,
> and in other situations capable of reading things like wordpress
> config files from other hosting accounts.
>
Then httpd was clearly not configured by someone who knew what they were
doing - and majorly broke it somehow
> Good work as always Kingcope. :)
>
oh dear .. I knew there was a reason why I rarely read this list unless
something is off-list brought to my attention.
Content of type "text/html" skipped
Download attachment "signature.asc" of type "application/pgp-signature" (491 bytes)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists