Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure

2013-08-11 Thread Tobias Kreidl
It is for this specific reason that utilities like suPHP can be used as a powerful tool to at least keep the account user from shooting anyone but him/herself in the foot because of any configuration or broken security issues. Allowing suexec to anyone but a seasoned, responsible admin is IMO

Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure

2013-08-11 Thread terry white
... ciao: : on 8-10-2013 Gichuki John Chuksjonia writ: : most of the Admins who handle webservers : in a network are also developers name , just a few : most of the organizations will always need to cut on expenses, history suggests, security breaches, are NOT a profit center.

Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure

2013-08-11 Thread Reindl Harald
Am 10.08.2013 16:52, schrieb Tobias Kreidl: It is for this specific reason that utilities like suPHP can be used as a powerful tool to at least keep the account user from shooting anyone but him/herself in the foot because of any configuration or broken security issues. Allowing suexec to

Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure

2013-08-11 Thread Ansgar Wiechers
On 2013-08-11 Reindl Harald wrote: Am 10.08.2013 16:52, schrieb Tobias Kreidl: It is for this specific reason that utilities like suPHP can be used as a powerful tool to at least keep the account user from shooting anyone but him/herself in the foot because of any configuration or broken

Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure

2013-08-11 Thread Michal Zalewski
for doing this features in httpd.conf you can use AllowOverride None instead of AllowOverride all AllowSymlinks is a red herring here (hardlinks should do, unless you have stuff partitioned in a very thoughtful way, which most don't), similarly to suexec. In general, sharing web hosting

Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure

2013-08-11 Thread Reindl Harald
Am 11.08.2013 14:50, schrieb Ansgar Wiechers: On 2013-08-11 Reindl Harald wrote: Am 10.08.2013 16:52, schrieb Tobias Kreidl: It is for this specific reason that utilities like suPHP can be used as a powerful tool to at least keep the account user from shooting anyone but him/herself in the

Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure

2013-08-11 Thread Tobias Kreidl
Agreed. Many sites limit users to at most SymLinksIfOwnerMatch for that very reason, not to mention limits on CGI privileges. AllowSymlinks, IMO, ought to be reserved for the sysadmin on the server and used sparingly. You can, of course, even require .htaccess configurations to be set in the

[SECURITY] [DSA 2736-1] putty security update

2013-08-11 Thread Salvatore Bonaccorso
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2736-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso August 11, 2013