Bugtraq mailing list archives
Re: Blocking Nimda and kin
From: Brett Glass <brett () lariat org>
Date: Thu, 08 Nov 2001 16:00:47 -0700
You have a good point. How would you guard against this sort of spoofing? Require several rapid fire hits before blocking, perhaps? Also, it turns out that the "%400,404a" is erroneous. This was a mistake on my part that stemmed from misunderstanding of the Apache documentation. It's better just to use %a there, since adding the "400,404" in the middle can create a malformed command in certain unusual circumstances. (No harm will be done, though.) By the way, Apache runs its master process as root and demotes all the others it spawns to a uid of your choosing. The master process opens the log files, so yes, the command is run as root. Note that no user input is used in the command, so it's not possible to execute a command of your choosing via this mechanism. --Brett At 03:46 PM 11/8/2001, Peter W wrote:
This is very cool stuff. So I can get someone to view an HTML page|email with code like <IMG alt="" height="0" width="0" hspace="0" vspace="0" src="http://brettglass.example.com/winnt/system32/cmd.exe">, I can easily prevent them, or anyone else coming from the same space, from reaching your Web server. Get some AOL users to read the messages and bye-bye to all the AOL proxy server traffic. Get lots of usenet "victims", and even if they don't care about your Web site, man, your routing table suddenly looks bad. Very (un)cool. -Peter P.S. If that exec sh route thing actually works, does that mean your httpd is running as root?
Current thread:
- Blocking Nimda and kin Brett Glass (Nov 08)
- Re: Blocking Nimda and kin Peter W (Nov 08)
- Re: Blocking Nimda and kin Brett Glass (Nov 08)
- Re: Blocking Nimda and kin Peter W (Nov 08)