Re: Another flaw in Apache?

From: Michal Zalewski (lcamtuf@bos.bindview.com)
Date: 06/23/02


Date: Sun, 23 Jun 2002 10:13:32 -0400 (EDT)
From: Michal Zalewski <lcamtuf@bos.bindview.com>
To: Filipe Jorge Marques de Almeida <filipe@rnl.ist.utl.pt>

On Sun, 23 Jun 2002, Filipe Jorge Marques de Almeida wrote:

> Don't forget this is not a serious vulnerability in many configurations
> (if the user already has permission to run cgi scripts without suexec,
> SSI, etc).

Not exactly. You are having access to the httpd child process, not a
spawned CGI script. This means that you control some interesting goods,
such as file descriptors, or... oh well, the child process itself. Think
about serving spoofed contents to all requests? Besides, suexec is pretty
popular nowadays.

-- 
_____________________________________________________
Michal Zalewski [lcamtuf@bos.bindview.com] [security]
[http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};:
=-=> Did you know that clones never use mirrors? <=-=
          http://lcamtuf.coredump.cx/photo/



Relevant Pages

  • Re: CGI security on a shared web server (fwd)
    ... you don't have to have suEXEC to run setuid programs. ... you can turn on the setuid bit for those few CGI scripts you ... sysadmins will disable that (again, a wise move, IMHO). ...
    (SecProg)
  • Re: CGI security on a shared web server (fwd)
    ... you don't have to have suEXEC to run setuid programs. ... set the permission bits on CGI scripts on your shared web server, ... on the setuid bit for those few CGI scripts you need to have setuid. ... I don't use suEXEC, mainly because it makes *all* the CGI scripts setuid. ...
    (SecProg)
  • Re: Another flaw in Apache?
    ... user already has permission to run cgi scripts without suexec, SSI, etc). ...
    (Vuln-Dev)
  • Re: perldoc perlsec question
    ... 711 would be for my cgi scripts. ... Maybe, if that works for you, do you possibly have e.g. suEXEC or ... Provided that the web server has been sensibly configured, ... a shared environment. ...
    (comp.lang.perl.misc)
  • Secure CGI Path Access (translate file path "/" to user homedir)
    ... i just configured my webserver with suexec, ... Scripts are executed with the users uid. ... How do i prevent the CGI Scripts from ... all file permissions. ...
    (comp.os.linux.security)