Vulnerability Development mailing list archives
Re: Another flaw in Apache?
From: Michal Zalewski <lcamtuf () coredump cx>
Date: Sun, 23 Jun 2002 12:17:14 -0400 (EDT)
On Sun, 23 Jun 2002, Filipe Almeida wrote:
You can kill the httpd childs but you can't ptrace them because the processes are not dumpable.
Yes. The point is, if you can send requests that will cause an overflow in every single child running - and you can - you could effectively force all of them to do what you want - e.g. send spoofed data to clients, saying, for example, "This site is 0wned". Or something more subtle. Hijacking of http session certainly isn't a minor issue for sites with, say, paid services. My best guess would be that providers of paid web space access (with .htaccess files enabled) would have some serious problems, especially if they also have commercial customers. Some time ago, I published a funny vulnerability in Sendmail (-bD option + SIGHUP). It wouldn't give you root, but it would give you the listening socket binded to port 25. Go figure. This allows, for example, transparent mail sniffing, and is effectively a service compromise. With Apache, that'd be the same, except that in the age of e-commerce and web authentication, "owned" Apache daemon will more likely lead to trouble other than just privacy compromise. -- _____________________________________________________ Michal Zalewski [lcamtuf () bos bindview com] [security] [http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};: =-=> Did you know that clones never use mirrors? <=-= http://lcamtuf.coredump.cx/photo/
Current thread:
- Re: Another flaw in Apache?, (continued)
- Re: Another flaw in Apache? Jedi/Sector One (Jun 22)
- Re: Another flaw in Apache? Alexander Yurchenko (Jun 22)
- RE: Another flaw in Apache? Ryan Sweat (Jun 22)
- Re: Another flaw in Apache? Michal Zalewski (Jun 22)
- Re: Another flaw in Apache? Jedi/Sector One (Jun 23)
- Re: Another flaw in Apache? Filipe Jorge Marques de Almeida (Jun 23)
- Re: Another flaw in Apache? Jedi/Sector One (Jun 23)
- Message not available
- Re: Another flaw in Apache? Filipe Almeida (Jun 23)
- Re: Another flaw in Apache? Alexander Yurchenko (Jun 23)
- Re: Another flaw in Apache? Jedi/Sector One (Jun 23)
- Re: Another flaw in Apache? Michal Zalewski (Jun 23)
- Re: Another flaw in Apache? Michal Zalewski (Jun 23)
- Re: Another flaw in Apache? sd (Jun 26)