Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

NCSA httpd: patch for CGI insecurity

From: paulp () CERF NET (Paul Phillips)
Date: Thu, 4 May 1995 16:17:55 -0700 (PDT)

On Thu, 4 May 1995, Paul Phillips wrote:


It was pointed out that fchdir could conceivably be used to escape a 
chrooted area.  I also really don't like the idea that a CGI can log an 
arbitrary amount of false information.  Trashing the log files at least 
informs the web admin that something is up, but information warfare can 
be more dangerous than information vandalism.


Sorry to quote myself, but this is quite more serious than I had 
originally painted it.  I know of some commercial web space providers 
that charge by the byte for bandwidth used.  If I have an account and CGI 
access on the same server that someone else does, what is to stop me from 
logging lots of entries for someone else on the server, greatly 
increasing their tab? Nothing.  In fact, with a single CGI I could fork 
another process that sits around in the background and logs accesses to 
my enemies every minute or so.

Not good.  Anyone running any NCSA server that uses the logs for 
billing is on thin ice.  On that note, here is a patch for httpd1.4 that 
fixes the problem.


*** http_log.c.orig     Thu May  4 16:00:27 1995
--- http_log.c  Thu May  4 16:13:26 1995
***************
*** 57,62 ****
--- 57,64 ----
  extern char *save_name;

  void open_logs() {
+     int flags;
+
      if(!(error_log = fopen(error_fname,"a"))) {
          fprintf(stderr,"httpd: could not open error log file %s.\n",
                  error_fname);
***************
*** 81,86 ****
--- 83,106 ----
          perror("fopen");
          exit(1);
      }
+
+     /* set close-on-exec flag so CGI's cannot get to logs */
+
+     flags = fcntl(fileno(error_log), F_GETFD);
+     flags |= FD_CLOEXEC;
+     fcntl(fileno(error_log), F_SETFD, flags);
+
+     flags = fcntl(xfer_log, F_GETFD);
+     flags |= FD_CLOEXEC;
+     fcntl(xfer_log, F_SETFD, flags);
+
+     flags = fcntl(fileno(agent_log), F_GETFD);
+     flags |= FD_CLOEXEC;
+     fcntl(fileno(agent_log), F_SETFD, flags);
+
+     flags = fcntl(fileno(referer_log), F_GETFD);
+     flags |= FD_CLOEXEC;
+     fcntl(fileno(referer_log), F_SETFD, flags);
  }

  void close_logs() {


------------ End patch -----------------

--
Paul Phillips                                 EMAIL: paulp () cerf net  
WWW: http://www.primus.com/staff/paulp/       PHONE: (619) 220-0850
Previous By Date Next
Previous By Thread Next

Current thread: