httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Behlendorf <br...@organic.com>
Subject NCSA httpd: patch for CGI insecurity (fwd)
Date Fri, 05 May 1995 06:20:14 GMT

To which I replied, "CGI scripts are a security hole, period, if the 
admin can not trust the people putting up scripts behind the server." 

By the way, does this close the error log before the script gets to it?  
Very bad, as I think the scripts should be allowed to write to the error 
log with stderr for debugging purposes.  Unless we decide we can have a 
stderr_log....

	Brian

---------- Forwarded message ----------
Date: Thu, 4 May 1995 16:17:55 -0700 (PDT)
From: Paul Phillips <paulp@cerf.net>
To: www-security@ns2.rutgers.edu, www-managers@list.Stanford.EDU,
    bugtraq@fc.net, httpd@ncsa.uiuc.edu
Subject: NCSA httpd: patch for CGI insecurity



On Thu, 4 May 1995, Paul Phillips wrote:

> It was pointed out that fchdir could conceivably be used to escape a 
> chrooted area.  I also really don't like the idea that a CGI can log an 
> arbitrary amount of false information.  Trashing the log files at least 
> informs the web admin that something is up, but information warfare can 
> be more dangerous than information vandalism.

Sorry to quote myself, but this is quite more serious than I had 
originally painted it.  I know of some commercial web space providers 
that charge by the byte for bandwidth used.  If I have an account and CGI 
access on the same server that someone else does, what is to stop me from 
logging lots of entries for someone else on the server, greatly 
increasing their tab? Nothing.  In fact, with a single CGI I could fork 
another process that sits around in the background and logs accesses to 
my enemies every minute or so.

Not good.  Anyone running any NCSA server that uses the logs for 
billing is on thin ice.  On that note, here is a patch for httpd1.4 that 
fixes the problem.


*** http_log.c.orig     Thu May  4 16:00:27 1995
--- http_log.c  Thu May  4 16:13:26 1995
***************
*** 57,62 ****
--- 57,64 ----
  extern char *save_name;

  void open_logs() {
+     int flags;
+
      if(!(error_log = fopen(error_fname,"a"))) {
          fprintf(stderr,"httpd: could not open error log file %s.\n",
                  error_fname);
***************
*** 81,86 ****
--- 83,106 ----
          perror("fopen");
          exit(1);
      }
+
+     /* set close-on-exec flag so CGI's cannot get to logs */
+
+     flags = fcntl(fileno(error_log), F_GETFD);
+     flags |= FD_CLOEXEC;
+     fcntl(fileno(error_log), F_SETFD, flags);
+
+     flags = fcntl(xfer_log, F_GETFD);
+     flags |= FD_CLOEXEC;
+     fcntl(xfer_log, F_SETFD, flags);
+
+     flags = fcntl(fileno(agent_log), F_GETFD);
+     flags |= FD_CLOEXEC;
+     fcntl(fileno(agent_log), F_SETFD, flags);
+
+     flags = fcntl(fileno(referer_log), F_GETFD);
+     flags |= FD_CLOEXEC;
+     fcntl(fileno(referer_log), F_SETFD, flags);
  }

  void close_logs() {


------------ End patch -----------------

--
Paul Phillips                                 EMAIL: paulp@cerf.net  
WWW: http://www.primus.com/staff/paulp/       PHONE: (619) 220-0850



Mime
View raw message