Re: [Full-disclosure] Apache suEXEC privilege elevation / inform
--s3MvGEbrxelF6GCxgwPDkwo0gJeXTwGFn
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Am 11.08.2013 23:56, schrieb Stefan Kanthak:
> "Reindl Harald" <h.reindl@thelounge.net> wrote:
>> again:
>> symlinks are to not poision always and everywhere
>> they become where untrusted customer code is running
>> blame the admin which doe snot know his job and not
>> the language offering a lot of functions where some
>> can be misused
>=20
> Again: symlinks are well-known as attack vector for years!
and that's why any admin which is not clueless
disables the symlink function - but there exists
code which *is* secure, runs in a crontrolled
environment and make use of it for good reasons
> It's not the user/administrator who develops or ships insecure code!
but it's the administrator which has the wrong job if
create symlinks is possible from any random script
running on his servers
anyways, i am done with this thread
the topic is *not* "Apache suEXEC privilege elevation" it
is "admins not secure their servers" - period
--s3MvGEbrxelF6GCxgwPDkwo0gJeXTwGFn
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlIIEIEACgkQhmBjz394AnnfBQCgnG2EJYrWg1sCNy+6nI+fj9NF
m2UAniZy4SOBTpChtwJMMj4VaoWI+Htv
=RvqG
-----END PGP SIGNATURE-----
--s3MvGEbrxelF6GCxgwPDkwo0gJeXTwGFn--
討論串 (同標題文章)
完整討論串 (本文為第 14 之 32 篇):