[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Frontpage Extensions Remote Command Execution

To: full-disclosure@lists.netsys.com
Subject: Re: [Full-Disclosure] Frontpage Extensions Remote Command Execution
From: Damian Gerow <damian@sentex.net>
Date: Wed, 12 Nov 2003 14:53:02 -0500

Thus spake mattmurphy@kc.rr.com (mattmurphy@kc.rr.com) [12/11/03 14:41]:
> bulletin.  A decent admin would configure FPSE such that this flaw is a
> non-issue.  This is because no ordinary user has a reason to be accessing
> FPSE's files.  If FPSE is secured, this means that an attacker is getting
> their own privileges back.

A decent OS shouldn't need the admin to go in and modify permissions on
specific files in order to give a ensure a basic security requirement.
While an ordinary user may have no reason to access those files, an ordinary
admin should similarily have no reason for modifying the permissions on
those files.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- Re: [Full-Disclosure] Frontpage Extensions Remote Command Execution
  - From: Paul Schmehl <pauls@utdallas.edu>

References:
- RE: [Full-Disclosure] Frontpage Extensions Remote Command Execution
  - From: "mattmurphy@kc.rr.com" <mattmurphy@kc.rr.com>

Prev by Date: Re: [Full-Disclosure] Using anonymizers to masquerade P2P use?
Next by Date: RE: [Full-Disclosure] Frontpage Extensions Remote Command Execution
Previous by thread: RE: [Full-Disclosure] Frontpage Extensions Remote Command Execution
Next by thread: Re: [Full-Disclosure] Frontpage Extensions Remote Command Execution
Index(es):
- Date
- Thread