Re: Another flaw in Apache?

From: Jedi/Sector One (j@pureftpd.org)
Date: 06/23/02 

Date: Sun, 23 Jun 2002 16:05:16 +0200
From: Jedi/Sector One <j@pureftpd.org>
To: Filipe Jorge Marques de Almeida <filipe@rnl.ist.utl.pt>

On Sun, Jun 23, 2002 at 03:03:13PM +0100, Filipe Jorge Marques de Almeida wrote:
> Don't forget this is not a serious vulnerability in many configurations (if the
> user already has permission to run cgi scripts without suexec, SSI, etc).

  Indeed, the fact that any user can stop the whole web server, or launch
commands as the web server uid despite the use of suexec is not serious. 

-- 
 __  /*-      Frank DENIS (Jedi/Sector One) <j@42-Networks.Com>     -*\  __
 \ '/     Secure FTP Server     \' /
  \/   Misc. free software   \/

Relevant Pages

  • Re: Security risks in setting public_html to 777?
    ... > I'm running a web server, and I want some CGI scripts to be able to ... You'll only need that if the web server is running as a user ... that - as an example, with Apache, suexec can be used to let the cgi apps ...
    (comp.os.linux.security)
  • Re: Another flaw in Apache?
    ... user already has permission to run cgi scripts without suexec, SSI, etc). ...
    (Vuln-Dev)
  • Re: perldoc perlsec question
    ... 711 would be for my cgi scripts. ... Maybe, if that works for you, do you possibly have e.g. suEXEC or ... Provided that the web server has been sensibly configured, ... a shared environment. ...
    (comp.lang.perl.misc)
  • Re: Database Security Issues
    ... >> a problem that ISPs and their customers face. ... Using suEXEC or other ... If the web server can read a file then anybody who uses that web ... and open_basedir can help prevent this, as can CGI mechanisms such ...
    (comp.lang.php)
  • Re: CGI security on a shared web server (fwd)
    ... > I don't see why someone would suEXEC setuid perl scripts. ... I don't suEXEC setuid perl scripts. ... rest were just fine running as user "web" or whatever the web server UID was. ...
    (SecProg)