On 11/21/2011 10:19 AM, Joe Orton wrote:
I agree for resource consumption attacks. I think there's still a good case for treating bugs which allow escalation of privileges as security issues (i.e. something which gets you from an .htaccess file to arbitrary code execution in the httpd child).
Afraid I agree with Issac, that impersonating nobody/nobody (Apache user/group) is always going to be barely protected. Allowing users to touch .htaccess always creates an avenue for getting their fingers into cgi configuration. We often stress that the Apache User/Group should have less privileges than typical local users, I guess this is one more section that we might repeat that refrain.