Re: [Full-disclosure] Apache suEXEC privilege elevation / inform
--UNNVE2jMBDwXrpLwxAb00x05O9c5OOa8E
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Am 13.08.2013 00:51, schrieb coderaptor:
> On Mon, Aug 12, 2013 at 2:45 PM, Reindl Harald <h.reindl@thelounge.net>=
wrote:
>>> ALL software MUST come with SECURE DEFAULTS. PERIOD. Anyone who think=
s otherwise should fly in an aircraft running
>>> his own designed software. Knowledgeable Admins are not an alternativ=
e to secure defaults, rather I'd prefer both.
>>
>> *define what is secure* and make sure you define it by context
>>
>> unlink('file_my_script_wrote'); is fine
>> unlink($_GET['what_ever_input']): is a security hole
>>
>> so do we now disable unlink();
>=20
> Why not?
because it is plain stupid
you even statet that you did not realize that others are talking
about PHP and you not knew the context of 'disable_functions'
and so stop trying to be a smartass in topics you are clueless
>> hey in this case you need also to disable fopen(), file_put_contents()=
>> and whatever function can open and overwrite a file - now you could
>> come and argue "but the permissions should not allow" - well, your
>> config should also not allow any random script to create symlinks
>>
>> on a internal application which is not accesable from the web
>> symlink() is harmless and may be used for good reasons
>>
>> so you should realize that security is not black and white
>=20
> Go ahead and disable all 1330 functions if the need be, and let the
> Administrator figure out which ones he should carefully enable
please stop making yourself *that* laughable
>> if you nned 100% secure defaults do not allow CGI and script interpret=
ers
>> and go back to static sites because you have to realize that *any*
>> scripting lanuguage is a security risk per definition - period
>=20
> Just for the sake of argument? Which sane framework provides 1330
> functions? Security is surely not black and white, but this argument
> should not justify poor design choices. Anyways, no matter what one
> does, using a framework with 1330 functions is poor security decision
please be quite and come back after you understood the difference
between a programming language and a framework
hint:
* PHP: programming language
* Ruby: programming language
* Zend Framework, Symfony: Framework
* Ruboy On Rails: Framework
--UNNVE2jMBDwXrpLwxAb00x05O9c5OOa8E
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlIJal8ACgkQhmBjz394AnlAdACeIPaT/QlcDFHboGtVHkIcnZ/k
sZkAn0r68ttZD04YK52AYRv4Qq5M3lzO
=48cU
-----END PGP SIGNATURE-----
--UNNVE2jMBDwXrpLwxAb00x05O9c5OOa8E--
討論串 (同標題文章)
完整討論串 (本文為第 23 之 32 篇):