On Tue, 5 Mar 2002, at 9:01am, Karl J. Runge wrote:
> Call me "chicken little", but I am getting worried about the looming
> Apache/PHP vulnerability out there:
My understanding is that this hole does not lead directly to privilege
elevation. In other words, it might lead to compromise of the "nobody"
account or similar, but not full root access (like CodeRed). Am I correct
here?
(I am aware of the amount of damage even an unprivileged user can do, and
that root compromise is generally a short step away from an unprivileged
compromise, but I want to make sure my understanding of this PHP hole itself
is correct.)
> That would be worse than code red and a huge blow to Apache & OSS. :-(
Code Red was a root exploit. IIS runs with root privileges. I realize
the potential for bad PR is the same regardless, but in practical terms,
that is an important difference.
> I hope I turn out to be chicken little...
Me too. But even if that is the case for this exploit, the Unix community
is going to get nailed eventually. I anticipate a mass-mailing worm that
propagates using Linux. Many Unix advocates act high and mighty when it
comes to Outlook's security record, but the fact is that many of these worms
have exploited human failures ("Run this program!") first and foremost.
Unix is just as vulnerable to social engineering as anything else.
Cheery thoughts.
--
Ben Scott <[EMAIL PROTECTED]>
| The opinions expressed in this message are those of the author and do not |
| necessarily represent the views or policy of any other person, entity or |
| organization. All information is provided without warranty of any kind. |
*****************************************************************
To unsubscribe from this list, send mail to [EMAIL PROTECTED]
with the text 'unsubscribe gnhlug' in the message body.
*****************************************************************
