[590] in WWW Security List Archive
re:ncsa security problems
daemon@ATHENA.MIT.EDU (Paul Phillips)
Fri Apr 14 16:05:30 1995
Date: Fri, 14 Apr 1995 09:25:35 -0700 (PDT)
From: Paul Phillips <psphilli@sdcc8.UCSD.EDU>
To: www-security@ns2.rutgers.edu
In-Reply-To: <Pine.SUN.3.91.950414080836.12832A-100000@marmaduke.cs.umbc.edu>
Errors-To: owner-www-security@ns2.rutgers.edu
On Fri, 14 Apr 1995, Kenneth Rowe wrote:
>
> Don't forget that a lot of the "holes" being talked about
> are of major concern only when you run/start-up httpd
> with root privileges.
Sorry, this is absolutely untrue. Have you been reading www-security the
last few days? If not, the archives are available on the web. I
described several possible consequences of a compromised "nobody" UID and
I wasn't trying too hard.
It's an incredibly uphill battle to get people to take this stuff
seriously! All I see on c.i.www.providers and elsewhere is people talking
about how easy this all is to fix. Great. But obviously it's not that
easy to find, or these holes would not have languished in the httpd code
for two years.
I formally am requesting that people stop downplaying these problems.
They are real and they need to be addressed.
--
Paul Phillips EMAIL: psp@ucsd.edu PHONE: (619) 220-0850
WWW: http://www.primus.com/staff/paulp/ FAX: (619) 220-0873
