Re: Apache 2.x leaked descriptors

[jon schatz <jon () divisionbyzero com>]

Steve Grubb wrote:
> It is normal practice for webhosting companies to put multiple clients on 
> the same machine. What kind of scripting capabilities they give you, if 
> any, varies. If they give you *any* scripting capabilities and the machine 
> runs apache 2.x, then cgi-bin programs can possibly: poison the logs of 
> other sites on the same machine, place malicious content for log analysis 
> programs, delete access log via ftruncate, see what pages or cgi-bins are 
> being accessed on neighboring sites, or read anything dumped into error 
> logs of neighboring websites. 

you can do more than that. unless the web server uses suexec, all the 
cgi's run as the webserver user, who most likely has:

at least w to all log files for all vhosts (probably r+w)
at least r on all webhosting directories
at least r+x on all cgi-bin directories

this is (and has been) a known issue for a while. it has periodically 
been discussed on the apache mailing lists, and i think it came up on 
bugtraq recently as well.

-jon
--
jon () divisionbyzero com || www.divisionbyzero.com
gpg key: www.divisionbyzero.com/pubkey.asc
think i have a virus? www.divisionbyzero.com/pgp.html
"You are in a twisty little maze of Sendmail rules, all confusing."