Re: Apache 2.x leaked descriptors

From: jon schatz (jon@divisionbyzero.com)
Date: 02/22/03

  • Next message: Steve Grubb: "Re: Apache 2.x leaked descriptors" 
    Date: Sat, 22 Feb 2003 14:46:59 -0800
From: jon schatz <jon@divisionbyzero.com>
To: Steve Grubb <linux_4ever@yahoo.com>

    Steve Grubb wrote:
    > It is normal practice for webhosting companies to put multiple clients on
    > the same machine. What kind of scripting capabilities they give you, if
    > any, varies. If they give you *any* scripting capabilities and the machine
    > runs apache 2.x, then cgi-bin programs can possibly: poison the logs of
    > other sites on the same machine, place malicious content for log analysis
    > programs, delete access log via ftruncate, see what pages or cgi-bins are
    > being accessed on neighboring sites, or read anything dumped into error
    > logs of neighboring websites.

    you can do more than that. unless the web server uses suexec, all the
    cgi's run as the webserver user, who most likely has:

    at least w to all log files for all vhosts (probably r+w)
    at least r on all webhosting directories
    at least r+x on all cgi-bin directories

    this is (and has been) a known issue for a while. it has periodically
    been discussed on the apache mailing lists, and i think it came up on
    bugtraq recently as well.

    -jon 

    -- 
jon@divisionbyzero.com || www.divisionbyzero.com
gpg key: www.divisionbyzero.com/pubkey.asc
think i have a virus? www.divisionbyzero.com/pgp.html
"You are in a twisty little maze of Sendmail rules, all confusing."