On Mon, 23 Apr 2012 12:51:58 +0200, Vincent Lefevre wrote: > On 2012-04-20 14:37:11 +0000, Camaleón wrote:
>> The user is the admin of his/her site and so the ultimate resposible >> for his/her site security. > > What do you mean by site security? AFAIK, the problem is a *host* > security problem. As Apache can be run in a multi-homed (virtual host) environmenet I can be the admin of *my* site (my apache configuration) but not for the others. I can fix my site but not the rest, meaning, there can be "sites" exposing a vulnerable configuration while another sites in the same host don't. >> > There is a better solution: to fix mod_php and mod_rivet. >> >> What's the fix you propose? I mean, what's what you think is wrong in >> these two packages? Fixing the sample scripts? Are these scripts poorly >> written and exposing flaws? > > Your last questions make no sense. Sorry, the DSA explains little about the origin of the error and how it can be exploited. > The sample scripts are *not* in these two packages, but under /usr > /share/doc! So, there is nothing to fix in the sample scripts > themselves. The fix should be in the two packages, which shouldn't > execute scripts stored in a random directory, i.e. the scripts in /usr > /share/doc should just be seen as text files. This should be a bit like > CGI's: they are executed only if the ExecCGI option has been set on the > directory. So you consider the flaw is "where", exactly? What do you think the packages are doing wrong? And most important, have you contacted the Apache guys to share your concerns with them? Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/jn3r64$68l$3...@dough.gmane.org