Re: Apache 2.x leaked descriptors

From: Joe Orton (jorton@redhat.com)
Date: 03/13/03

  • Next message: Nate Nord: "FW: Outlook HTML crash"
    Date: Thu, 13 Mar 2003 12:51:45 +0000
    From: Joe Orton <jorton@redhat.com>
    To: vuln-dev@securityfocus.com
    
    

    I think you can be more inventive on what a malicious script author can
    if they can run arbitrary code from a CGI script, under the Apache
    model: here are some things I can up with:

    - using ptrace() on an httpd child: now you can get the httpd child to
    run arbitrary code, so "fd leaks" from child to CGI script are really
    irrelevant. (This is an old trick: nCipher used this as a demo of how to
    extract in-server SSL private keys using a CGI script)

    - send signals to the server children: SIGSTOP will make a quick'n'easy
    DoS.

    I'm sure there are more. The bottom line is that you must trust CGI
    script authors with the priviledges of the user which httpd runs as.

    Regards,

    joe


  • Next message: Nate Nord: "FW: Outlook HTML crash"