Bugtraq mailing list archives
[Fwd: HTTPd 1.5a Security Hole!!! (fwd)]
From: agent () l0pht com (Rogue Agent)
Date: Tue, 6 Feb 1996 19:28:04 -0500
---------- Forwarded message ---------- Date: Tue, 6 Feb 1996 17:47:08 -0600 From: John P. Nelson <jnelson () INTERNOC COM> To: Multiple recipients of list IAP <IAP () VMA CC ND EDU> Subject: HTTPd 1.5a Security Hole!!! VERY IMPORTANT for Internet Service Providers using linux, providing public WWW space!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! -------------------------------------------------------------------- FROM: The InterNetwork Operating Company, Inc. RE: InterNOC Security Advisory Known Affected Systems: Linux 1.2.8 using NCSA HTTPd 1.5a Description: The InterNetwork Operating Company has discovered a security hole related to Linux 1.2.8 and NCSA HTTPd 1.5a. In affected systems, the NCSA server, running as nobody/nogroup is able to access any files that are mode ?00 (readable only by owner). The security hole is known to occur through symbolic links as well as through aliases specified in the srm.conf file. It is known that through properly placed symbolic links, it is possible to obtain the shadow password file, user mail files, etc. This is extermely important for public Internet Service Providers that provide users with WWW space. This same security hole has been tested on BSDI 2.0.1, which does not appear to be affected. It has not yet been tested on other systems or with other http servers. jnelson () internoc com John Nelson The InterNetwork Operating Company, Inc.
Current thread:
- Re: bind() Security Problems Richard Black (Feb 01)
- Re: bind() Security Problems dsiebert () icaen uiowa edu (Feb 01)
- Re: bind() Security Problems General Scirocco (Feb 01)
- Re: bind() Security Problems Baba Z Buehler (Feb 05)
- passwd command in AIX 4.1.4 Dave Roberts (Feb 05)
- Re: passwd command in AIX 4.1.4 Chris Burris (Feb 05)
- Re: passwd command in AIX 4.1.4 JaDe (Feb 05)
- CGI security: Escape newlines. Jennifer Myers (Feb 05)
- Re: CGI security: Escape newlines. Dave Andersen (Feb 05)
- Re: CGI security: Escape newlines. Fred Cohen (Feb 06)
- [Fwd: HTTPd 1.5a Security Hole!!! (fwd)] Rogue Agent (Feb 06)
- Re: bind() Security Problems General Scirocco (Feb 01)
- Re: bind() Security Problems dsiebert () icaen uiowa edu (Feb 01)
- abuse Red Hat 2.1 security hole David J Meltzer (Feb 02)
- resizecons Red Hat 2.1 security hole David J Meltzer (Feb 02)
- <Possible follow-ups>
- Re: bind() Security Problems Alan Cox (Feb 01)