Re: [Full-disclosure] Apache suEXEC privilege elevation / inform

看板Bugtraq作者coderaptor.時間12年前 (2013/08/13 03:01)推噓0(0推 0噓 0→)

留言0則, 0人參與討論串15/32 (看更多)

I have been a silent spectator to this drama, and could not resist adding a f= ew thoughts of my own: 1. All software, especially webservers, should ship with secure defaults. Pe= riod. It is a fundamental mistake to assume all admins who roll out web apps= and maintain servers RTFM before rolling out. The key idea here is "time to= market", and there is huge amount of data to prove this. 2. Apache clearly does not ship with secure defaults in favor of convenience= ? disable_functions is a example - do you expect an admin to be a unix expe= rt or know what each parameter in there means? Also indicates this was added= in reactively, and not accounted for in the core design. Why not enable_fun= ctions instead, with everything disabled to begin with? (Oh, that wouldn't h= elp you achieve world dominance and fast!) 3. Secure by design, implementation, and deployment isn't utopia, it's very m= uch an achievable target. But then it wouldn't feed bugtraq anymore or the b= illion dollar industry called as "security industry" would it? Huge amount of software today is turd polishing, open source no exception (t= hough it is supposed to have better track record). The blame lies squarely o= n everyone. -coderaptor -- sent via 100% recycled electrons from my mobile command center. On Aug 11, 2013, at 3:30 PM, Reindl Harald <h.reindl@thelounge.net> wrote: >=20 >=20 > Am 11.08.2013 23:56, schrieb Stefan Kanthak: >> "Reindl Harald" <h.reindl@thelounge.net> wrote: >>> again: >>> symlinks are to not poision always and everywhere >>> they become where untrusted customer code is running >>> blame the admin which doe snot know his job and not >>> the language offering a lot of functions where some >>> can be misused >>=20 >> Again: symlinks are well-known as attack vector for years! >=20 > and that's why any admin which is not clueless > disables the symlink function - but there exists > code which *is* secure, runs in a crontrolled > environment and make use of it for good reasons >=20 >> It's not the user/administrator who develops or ships insecure code! >=20 > but it's the administrator which has the wrong job if > create symlinks is possible from any random script > running on his servers >=20 > anyways, i am done with this thread >=20 > the topic is *not* "Apache suEXEC privilege elevation" it > is "admins not secure their servers" - period >=20 >=20

‣ 返回看板[ Bugtraq ] 臭蟲

‣ 更多 coderaptor. 的文章

文章代碼(AID): #1I2J3lnA (Bugtraq)