Full Disclosure mailing list archives
Re: Apache::Gallery local webserver compromise, privilege escalation
From: Jon Hart <warchild () spoofed org>
Date: Wed, 10 Sep 2003 00:19:46 -0400
On Mon, Sep 08, 2003 at 08:21:13PM -0400, Jon Hart wrote:
Thanks to Michael Legart, Andreas Plesner and the rest of the Apache::Gallery team for a prompt response and fix. You can get the latest version of Apache::Gallery which fixes this problem by removing Inline::C at: http://svn.apachegallery.dk/snapshots/
Just as a quick follow up, A::G 0.7 has been released, which includes among other things the removal of Inline::C. If upgrading to 0.7 is not possible, simply change the call to Inline on line 27 of Gallery.pm to something like: use Inline (C => Config => LIBS => '-L/usr/X11R6/lib -lImlib2 -lm -ldl -lXext -lXext', INC => '-I/usr/X11R6/include', UNTAINT => 1, DIRECTORY => "/some/path/" ); Where /some/path is a "secure" path that only the user the gallery runs as has access to, like $apacheroot/gallery/Inline. Of course this isn't the most elegant fix, but it will save you if 0.7 isn't possible or desirable. Thanks to a tip from a colleague of mine, the following entry in crontab will help you to beat the race condition of getting the files removed: @reboot /path/to/exploit/exploit.sh Where exploit.sh contains something like: #!/bin/sh mkdir -p /tmp/lib/auto/Apache/Gallery_4033 cp ~/exploits/Gallery* /tmp/lib/auto/Apache/Gallery_4033 The next time the machine is rebooted, as soon as cron is started, your exploit script will be run. This should work on most Linux distributions. -jon _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Apache::Gallery local webserver compromise, privilege escalation Jon Hart (Sep 08)
- Re: Apache::Gallery local webserver compromise, privilege escalation Jon Hart (Sep 09)