Bugtraq mailing list archives
Re: Bug in apache httpd 1.1.3
From: dgaudet () ARCTIC ORG (Dean Gaudet)
Date: Sun, 16 Feb 1997 19:16:33 -0800
Only some architectures require the apache_status file (those which don't implement mmap or shared mem "well enough" for some definition of well enough that I'm too lazy to dig out of the archives). Linux is one of them, solaris isn't. In 1.2b6 that file has been moved to "logs/apache_runtime_status" which places it in the ServerRoot. There are also some notices in the documentation about the security implications of log file and parent directory ownership. So the problem is effectively not there on systems that are configured correctly. A temporary fix under 1.1.3 and earlier would be to add the following to your httpd.conf: ScoreBoardFile /path/to/root-writeable-only-directory/apache_status For some appropriate directory. But note that the same problem exists with all the log files as well, so your log directory should be root-writeable only. We're open to portable solutions... but as of yet, the 1.2 betas only document the security implications of this problem and don't do anything to restrict or warn about it at run time. Dean On Sun, 16 Feb 1997, Mihai Ibanescu wrote:
Hello! I noticed something interesting on my RedHat linux system (and on some other linuxes). httpd creates a file /tmp/apache_status, and follows blindly any link if /tmp/apache_status points somewhere, for instance /etc/passwd. So one can overwrite any file in the system. If she is able to create such a link, and I don't think that's impossible. The funny thing is that I have apache 1.1.3 installed on a SPARC Solaris, and the problem doesn't exist there. So am I paranoid, or is there a problem in the Apache server? Misa Department of Computer Science Mihai Ibanescu "Al. I. Cuza" Univ. of Iasi e-mail: misa () infoiasi ro Romania http://www.infoiasi.ro/~misa
Current thread:
- Re: Security Advisory: A simple TCP spoofing attack, (continued)
- Re: Security Advisory: A simple TCP spoofing attack Wietse Venema (Feb 12)
- buffer overflow in configurable fingerd? M Shariful Anam (Feb 12)
- Re: buffer overflow in configurable fingerd? Ken Hollis (Feb 12)
- Security Bulletins Digest Aleph One (Feb 13)
- Linux NLSPATH buffer overflow solar () IDEAL RU (Feb 13)
- Re: Linux NLSPATH buffer overflow Alan Cox (Feb 14)
- CIAC Bulletin H-27: HP-UX vgdisplay Buffer Overrun Vulnerability Aleph One (Feb 15)
- screen 3.05.02 Khelbin Sunvold (Feb 15)
- Re: screen 3.05.02 test (Feb 16)
- Bug in apache httpd 1.1.3 Mihai Ibanescu (Feb 16)
- Re: Bug in apache httpd 1.1.3 Dean Gaudet (Feb 16)
- Announce new phf prober release Ray W. Hiltbrand (Feb 17)
- Re: Announce new phf prober release J. Bouvrie (Feb 17)
- NT password dictionary attack. Paul Ashton (Feb 18)
- New CIFS paper up for grabs *Hobbit* (Feb 18)
- Re: screen 3.05.02 Mr. Cyb (Feb 16)
- FreeBSD,rlogin and coredumps. Roelof W Temmingh (Feb 16)
- Re: FreeBSD,rlogin and coredumps. David Greenman (Feb 16)
- Re: FreeBSD,rlogin and coredumps. Adrian Chadd (Feb 17)
- Re: FreeBSD,rlogin and coredumps. Jamshid Abedi (Feb 17)
- Re: FreeBSD,rlogin and coredumps. jamie (Feb 18)