httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 44752] New: Suexec does not correctly check that scripts are inside the docroot
Date Thu, 03 Apr 2008 21:07:48 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=44752

           Summary: Suexec does not correctly check that scripts are inside
                    the docroot
           Product: Apache httpd-2
           Version: 2.3-HEAD
          Platform: Other
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_suexec
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: sf@sfritsch.de


Suexec does not check correctly that the executed script is inside the 
docroot directory. It does 

        chdir(AP_DOC_ROOT)
        getcwd(dwd, AP_MAXPATH)

to get the docroot directory and then does a simple

        strncmp(cwd, dwd, strlen(dwd))

to compare it with the working directory. But getcwd returns the 
directory without a trailing slash (at least under linux). This means 
that, if AP_DOC_ROOT is set to e.g. /var/www, suexec will happily 
execute scripts under /var/www.bak . The same is true for userdir 
requests, i.e. /home/joe/public_html.bak will be accepted.


As Joe Orton pointed out, this is
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1742

The advisory
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=511
also lists a race condition.


-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message