Re: [Roy makes accusations he can't prove] [Rival] Consequcnes of Windows' "Everyone's Admin" Mentality (was: [News] [Rival] Consequcnes of Windows' "Everyone's Admin" Mentality) - Linux

This is a discussion on Re: [Roy makes accusations he can't prove] [Rival] Consequcnes of Windows' "Everyone's Admin" Mentality (was: [News] [Rival] Consequcnes of Windows' "Everyone's Admin" Mentality) - Linux ; Moshe is flatfish (aka: Gary Stewart) http://colatrolls.blogspot.com/2008/...arb-troll.html http://colatrolls.blogspot.com/2007/...ish-troll.html...

+ Reply to Thread
Page 2 of 2 FirstFirst 1 2
Results 21 to 32 of 32

Thread: Re: [Roy makes accusations he can't prove] [Rival] Consequcnes of Windows' "Everyone's Admin" Mentality (was: [News] [Rival] Consequcnes of Windows' "Everyone's Admin" Mentality)

  1. Re: [Roy makes accusations he can't prove] [Rival] Consequcnes of Windows' "Everyone's Admin" Mentality


  2. Re: [Roy makes accusations he can't prove] [Rival] Consequcnes of Windows' "Everyone's Admin" Mentality


  3. Re: [Roy makes accusations he can't prove] [Rival] Consequcnes of Windows' "Everyone's Admin" Mentality

    "Wang My****" schreef in bericht
    news:47e47a32$0$581$6e1ede2f@read.cnntp.org...
    > Moshe is flatfish (aka: Gary Stewart)
    >
    > http://colatrolls.blogspot.com/2008/...arb-troll.html
    > http://colatrolls.blogspot.com/2007/...ish-troll.html



    Hi George!
    *PLONK*



  4. Re: [Roy makes accusations he can't prove] [Rival] Consequcnes of Windows' "Everyone's Admin" Mentality

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    On Fri, 21 Mar 2008 20:19:53 -0400,
    Erik Funkenbusch wrote:
    > On Fri, 21 Mar 2008 16:24:04 -0700, Jim Richardson wrote:
    >
    >>> Then you've got some seriously problems if you make your web pages writable
    >>> to the apache process.

    >>
    >> like a wiki...

    >
    > Most wiki's use database's to store the data, do they not? I don't know of
    > any that update the actual web pages...



    Many wikis write to the filesystem, if not the pages themselves,
    elements of the structures.


    Further, of the crack is to the data of a non-related site, it doesn't
    matter if it's written to the filesystem or a DB, the underlying
    application layer (apache, or the like) must have access to update that
    data. The application layer generally controls the access. Either via an
    ..htaccess type system, or something in a DB with uname/passwds, but in
    either case, the apache process has to have some kind of access there.

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.6 (GNU/Linux)

    iD8DBQFH5+/Rd90bcYOAWPYRAlA1AKDKm7zRxYSZ1g+YIUwEvZWeSb/uBwCdF1J2
    XgDHtpkVak+IW/giRErsUqI=
    =YMiX
    -----END PGP SIGNATURE-----

    --
    Jim Richardson http://www.eskimo.com/~warlock
    "If you choke a smurf, what color does it turn?"

  5. Re: [Roy makes accusations he can't prove] [Rival] Consequcnes of Windows' "Everyone's Admin" Mentality

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    On Fri, 21 Mar 2008 20:28:57 -0400,
    Moshe Goldfarb wrote:
    > On Fri, 21 Mar 2008 20:19:53 -0400, Erik Funkenbusch wrote:
    >
    >> On Fri, 21 Mar 2008 16:24:04 -0700, Jim Richardson wrote:
    >>
    >>>> Then you've got some seriously problems if you make your web pages writable
    >>>> to the apache process.
    >>>
    >>> like a wiki...

    >>
    >> Most wiki's use database's to store the data, do they not? I don't know of
    >> any that update the actual web pages...

    >
    > That's what I was getting at and please correct this non programmer if I am
    > wrong.
    >
    > I have no clue how the data is stored or changed but my take on it is that
    > they would be crazy to let anyone just update the actual page???
    >
    > Make sense?
    >
    > Yes/No ?
    >


    They generally put in place controls to prevent it yes, which is why it
    needs some sort of crack to do so. But that doesn't mean the crack is at
    the OS level, it could be at the app level, since for a system with a
    CMS, or a wiki like system, there has to be some way to update content,
    and that is usually done via the web server. ( although I have seen CMS
    systems that use a seperate server process for the admin/update side of
    things and the serving side of things, for both security and speed
    reasons. )

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.6 (GNU/Linux)

    iD8DBQFH5/Bbd90bcYOAWPYRAhvoAJ960WtzR1rk2LoPUR2zQD0tU5/2rwCgq2MM
    nyznpiXtXf0MPB4ga0dAsbE=
    =zHAs
    -----END PGP SIGNATURE-----

    --
    Jim Richardson http://www.eskimo.com/~warlock
    Life is too short to be taken seriously.
    -- Oscar Wilde

  6. Re: [Roy makes accusations he can't prove] [Rival] Consequcnes of Windows' "Everyone's Admin" Mentality

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    On Fri, 21 Mar 2008 19:44:30 -0400,
    Moshe Goldfarb wrote:
    > On Fri, 21 Mar 2008 16:24:04 -0700, Jim Richardson wrote:
    >
    >> -----BEGIN PGP SIGNED MESSAGE-----
    >> Hash: SHA1
    >>
    >> On Fri, 21 Mar 2008 18:02:52 -0400,
    >> Erik Funkenbusch wrote:
    >>> On Fri, 21 Mar 2008 12:40:07 -0700, Jim Richardson wrote:
    >>>
    >>>>> Linux is a collection of everything that runs on it, just as Windows is a
    >>>>> collection of everything that runs on it.
    >>>>
    >>>> and yet you have oft times in the past claimed that flaws in Win32 apps
    >>>> (that happent also have a Linux version) are not vulnerabilities in
    >>>> "Windows" when they are vulnerabilities in "Linux"
    >>>
    >>> They are vulnerabilities in the platform, not the software written by
    >>> Microsoft. It's still a platform vulnerability. Microsoft can't be held
    >>> responsible for such vulnerabilities.
    >>>
    >>> On the other hand, any software distributed by the vendor, either via disk
    >>> or via repository is the vendors responsibility, and that includes 3rd
    >>> party drivers or software that Microsoft distributes either on disk or via
    >>> windows update.
    >>>
    >>>>> The point was, you claimed that your site was hacked by another account,
    >>>>> that means they had to get root access to access other accounts, that means
    >>>>> a root privilege escalation.
    >>>>
    >>>> or crap security of phpbb. Go figure. No, a root exploit is not the only
    >>>> way. PhPBB writes and reads files as the apache user (at least on
    >>>> fedora/Centos) So no, overwriting one website via another doesn't
    >>>> require root exploit.
    >>>
    >>> Then you've got some seriously problems if you make your web pages writable
    >>> to the apache process.

    >>
    >>
    >> like a wiki...

    >
    > ?????
    > Explain in layman's terms.
    >



    Say you have a website with two accounts, mypage_1 and mypage_2,
    facebook or the like. You have a mechanism that allows the owner of
    mypage_1 to update his site, without allowing him to modify mypage_2. If
    you screw that mechanism up, (as has happened in the past with, among
    others, Hotmail IIRC) then you have a problem.


    Since the system used must be able to modify mypage_* files, Erik's
    comment about not being able to write to the files is a bit silly. While
    it's possible to set up a system with an out of band modification
    system, few Wiki's or CMS are set up that way.

    Unless Erik was talking about a system with pages that never change.
    Which would be, disingenuous at best.


    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.6 (GNU/Linux)

    iD8DBQFH5/FMd90bcYOAWPYRAozqAKCeBI+4Dj26cMyKKHqCFICtJDJlJwCg 8XSR
    1KDbv6SFj1UK7rcP9hnhwTI=
    =mDph
    -----END PGP SIGNATURE-----

    --
    Jim Richardson http://www.eskimo.com/~warlock
    "I have never made but one prayer to God, a very short one: 'O Lord,
    make my enemies ridiculous.' And God granted it."
    -Voltaire

  7. Re: [Roy makes accusations he can't prove] [Rival] Consequcnes of Windows' "Everyone's Admin" Mentality

    On Mon, 24 Mar 2008 11:18:03 -0700, Jim Richardson wrote:


    > They generally put in place controls to prevent it yes, which is why it
    > needs some sort of crack to do so. But that doesn't mean the crack is at
    > the OS level, it could be at the app level, since for a system with a
    > CMS, or a wiki like system, there has to be some way to update content,
    > and that is usually done via the web server. ( although I have seen CMS
    > systems that use a seperate server process for the admin/update side of
    > things and the serving side of things, for both security and speed
    > reasons. )


    Fair enough.
    Thank you!

    --
    Moshe Goldfarb
    Collector of soaps from around the globe.
    Please visit The Hall of Linux Idiots:
    http://linuxidiots.blogspot.com/

  8. Re: [Roy makes accusations he can't prove] [Rival] Consequcnes of Windows' "Everyone's Admin" Mentality

    On Mon, 24 Mar 2008 11:22:04 -0700, Jim Richardson wrote:

    > -----BEGIN PG> Say you have a website with two accounts, mypage_1 and mypage_2,
    > facebook or the like. You have a mechanism that allows the owner of
    > mypage_1 to update his site, without allowing him to modify mypage_2. If
    > you screw that mechanism up, (as has happened in the past with, among
    > others, Hotmail IIRC) then you have a problem.
    >
    >
    > Since the system used must be able to modify mypage_* files, Erik's
    > comment about not being able to write to the files is a bit silly. While
    > it's possible to set up a system with an out of band modification
    > system, few Wiki's or CMS are set up that way.
    >
    > Unless Erik was talking about a system with pages that never change.
    > Which would be, disingenuous at best.


    Ok I see what you are saying.
    Thanks!



    --
    Moshe Goldfarb
    Collector of soaps from around the globe.
    Please visit The Hall of Linux Idiots:
    http://linuxidiots.blogspot.com/

  9. Re: [Roy makes accusations he can't prove] [Rival] Consequcnes of Windows' "Everyone's Admin" Mentality


  10. Re: [Roy makes accusations he can't prove] [Rival] Consequcnes of Windows' "Everyone's Admin" Mentality


  11. Re: [Rival] Consequcnes of Windows' "Everyone's Admin" Mentality

    > On Fri, 21 Mar 2008 20:19:53 -0400, Erik Funkenbusch wrote:
    > > Most wiki's use database's to store the data, do they not? I don't know of
    > > any that update the actual web pages...


    Many use a database, some do not including the original wiki (http://
    c2.com/cgi/wiki).

    On Mar 21, 5:28 pm, Moshe Goldfarb wrote:
    > That's what I was getting at and please correct this non programmer if I am
    > wrong.
    >
    > I have no clue how the data is stored or changed but my take on it is that
    > they would be crazy to let anyone just update the actual page???


    Bad idea or not there are tons of web-apps that will not run unless
    they have the ability to write to the filesystem. For example file
    attachments in forum software or all those stupid signature images
    usually needs to be stored on the filesystem somewhere and since it is
    the web server that receive the files the web server process needs to
    be able to write somewhere.. Storing files in a database tends to not
    be very efficient.

  12. Re: [Rival] Consequcnes of Windows' "Everyone's Admin" Mentality

    On Sun, 30 Mar 2008 02:21:05 -0700 (PDT), zoredache wrote:

    >> On Fri, 21 Mar 2008 20:19:53 -0400, Erik Funkenbusch wrote:
    >>> Most wiki's use database's to store the data, do they not? I don't know of
    >>> any that update the actual web pages...

    >
    > Many use a database, some do not including the original wiki (http://
    > c2.com/cgi/wiki).


    That would be "most" then, would it not? In nay case, such a Wiki would be
    intentionally meant for people to alter it, thus negating the issue.

    > On Mar 21, 5:28 pm, Moshe Goldfarb wrote:
    >> That's what I was getting at and please correct this non programmer if I am
    >> wrong.
    >>
    >> I have no clue how the data is stored or changed but my take on it is that
    >> they would be crazy to let anyone just update the actual page???

    >
    > Bad idea or not there are tons of web-apps that will not run unless
    > they have the ability to write to the filesystem. For example file
    > attachments in forum software or all those stupid signature images
    > usually needs to be stored on the filesystem somewhere and since it is
    > the web server that receive the files the web server process needs to
    > be able to write somewhere.. Storing files in a database tends to not
    > be very efficient.


    A properly secured system would place file attachments in their own
    seperate directory, different from the web pages. Allowing the web server
    user to alter pages is stupid, unless that's what you really want.

+ Reply to Thread
Page 2 of 2 FirstFirst 1 2