Am 11.08.2013 23:56, schrieb Stefan Kanthak: > "Reindl Harald" <h.reindl@xxxxxxxxxxxxx> wrote: >> again: >> symlinks are to not poision always and everywhere >> they become where untrusted customer code is running >> blame the admin which doe snot know his job and not >> the language offering a lot of functions where some >> can be misused > > Again: symlinks are well-known as attack vector for years! and that's why any admin which is not clueless disables the symlink function - but there exists code which *is* secure, runs in a crontrolled environment and make use of it for good reasons > It's not the user/administrator who develops or ships insecure code! but it's the administrator which has the wrong job if create symlinks is possible from any random script running on his servers anyways, i am done with this thread the topic is *not* "Apache suEXEC privilege elevation" it is "admins not secure their servers" - period
Attachment:
signature.asc
Description: OpenPGP digital signature
