Re: Another Fedora decision

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Wed, Feb 4, 2015 at 8:43 PM, Warren Young <wyml@xxxxxxxxxxx> wrote:
>> On Feb 4, 2015, at 7:23 PM, Les Mikesell <lesmikesell@xxxxxxxxx> wrote:
>>
>> On Wed, Feb 4, 2015 at 6:32 PM, Warren Young <wyml@xxxxxxxxxxx> wrote:
>>>
>>> An LPE can only be used against your system by logged-in users.
>>
>> Or any running program - like a web server.
>
> That’s not what LPE means.  “L” = “local”, meaning you are logged-in interactively to the server, or have the ability to execute arbitrary commands remotely, which comes to the same thing.
>
> The only way Apache can be used in conjunction with an LPE to provide root access is via something like Shellshock.

The instance I saw used a java web server, but server bugs that allow
allow execution of arbitrary commands have been fairly numerous -
shellshock might have worked too.  And that's all you need to turn
what you thought was a local vulnerability into a remote one.

-- 
   Les Mikesell
     lesmikesell@xxxxxxxxx
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos





[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux