On Tue, 5 Mar 2002, at 9:01am, Karl J. Runge wrote: > Call me "chicken little", but I am getting worried about the looming > Apache/PHP vulnerability out there:
My understanding is that this hole does not lead directly to privilege elevation. In other words, it might lead to compromise of the "nobody" account or similar, but not full root access (like CodeRed). Am I correct here? (I am aware of the amount of damage even an unprivileged user can do, and that root compromise is generally a short step away from an unprivileged compromise, but I want to make sure my understanding of this PHP hole itself is correct.) > That would be worse than code red and a huge blow to Apache & OSS. :-( Code Red was a root exploit. IIS runs with root privileges. I realize the potential for bad PR is the same regardless, but in practical terms, that is an important difference. > I hope I turn out to be chicken little... Me too. But even if that is the case for this exploit, the Unix community is going to get nailed eventually. I anticipate a mass-mailing worm that propagates using Linux. Many Unix advocates act high and mighty when it comes to Outlook's security record, but the fact is that many of these worms have exploited human failures ("Run this program!") first and foremost. Unix is just as vulnerable to social engineering as anything else. Cheery thoughts. -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do not | | necessarily represent the views or policy of any other person, entity or | | organization. All information is provided without warranty of any kind. | ***************************************************************** To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *****************************************************************