httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Randy Terbush <ra...@zyzzyva.com>
Subject Re: Apache security problems (fwd)
Date Thu, 16 Jan 1997 02:06:55 GMT
Marc, I would suggest sending this to the reporter.
God only knows what the end result will look like
regardless of how technical or non-technical you try
to be. :) 

> On Thu, 16 Jan 1997, Rob Hartill wrote:
> 
> > 
> > Does anyone who actually did some of the work fixing the holes want to
> > talk to Nick ?
> > 
> > If you just watched as other fixed it (like me), don't use this to
> > just to get some personal PR points :-)
> > 
> > The answers seem to be
> > 
> > 	- the seriousness is unknown since we're not aware of an exploit
> > 	   it could affect any of the N00,000 users of Apache.
> > 	- ?
> > 	- no
> > 	- the potential to add new code/data into the program where it
> > 	   should be.
> 
> What I would say is below, but I think it is too technical.  <sigh>
> Problem is that you either have to lie and give an overly simplistic
> version, or you have to have the person report a completely wild and crazy
> version of it.  The first case, you get a wrong version in the press but
> at least you get to make up what wrong version it is.
> 
> I think it is important to note that the mod_cookie hole is NOT an easy
> exploit and is likely impossible to exploit.    I have already seen people
> saying Apache has a huge hole that gives you instant root on any server it
> runs on...
> 
> I think you also have to be very careful using the term "data" because
> people will immediately think of the web pages they have stored on the
> server as the data.
> 
> > 
> > Check with Brian that he hasn't already responded.
> 
> It is after afternoon right now, so it is likely a bit late.  Brian, if
> you haven't responded say so.  I'm not sure my answer below is of much use
> even if it isn't too late and there hasn't been a response, but if it is I
> would encourage someone to tell me to send it to him or forward it... 
> 
> > 
> > ---------- Forwarded message ----------
> > Date: Wed, 15 Jan 1997 15:20:15 -0800
> > From: Nick Wingfield <nickw@central.cnet.com>
> > To: Rob Hartill <robh@imdb.com>
> > Subject: Apache security problems
> > 
> > Rob,
> > 
> > I saw the alert on the security problems in Apache 1.1.1. Would you mind
> > answering a few questions for an article that I'm doing on the security
> > problems? (I'd like to quote your responses unless you prefer that I don't.) 
> > 
> > --Can you tell me how serious the problems were and how many users they
> > might affect? 
> 
> There are two distinct problems.  One is that it is possible to get a
> listing of the files in a directory even though there is an
> index file (such as 'index.html') which should be shown instead.  This
> does not allow access to any information which would not otherwise be
> available, but anyone relying on people not knowing the URL for something
> to hide it should take note.
> 
> The second problem is that the length of some information which can be
> controlled by remote sites (the hostname, eg. central.cnet.com, of the
> client connecting) was not being limited properly, so someone could
> manipulate their hostname and overwrite other things in memory if it were
> of an unusual length.
> 
> The problems can potentially affect all of the several hundred thousand
> servers running a Apache.
> 
> > --How could the problems be expolited by someone? 
> 
> To get a directory listing of a directory even though there is an index
> file, people simply need to enter a particular URL into their browser
> which makes the server think it can't find the index file.
> 
> The second hole is, at best, extremely difficult to exploit, and may well
> not be possible to exploit to compromise security.  Manipulating your
> hostname is not an easy task, and even when you do that it would have to
> be in a very specific form to allow you to gain access to the web server.
> Even if you could do this, it would not be superuser (ie. root) access,
> so you would still not have complete control over the machine.
> 
> > --To your knowledge, has anyone exploited the security holes in Apache?
> 
> The first one, yes.  The second one, no.  The second one is only a very
> remote possibility and I am quite doubtful that it can be exploited.
> However, our policy is that if there is any chance of there being a
> problem we need to release a fixed version as soon as possible; better
> safe than sorry.  
> 
> > --What does "scribbling a memory stack" mean in laymen's terms? 
> 
> Overwriting memory which is not supposed to be used for the data involved.
> If you then are able to manage to put the right data in the right place it
> is possible to make the web server do undesirable things.  Simply
> overwriting the memory does nothing to allow you to exploit the hole, but
> it has to be done in a very particular way which depends on many things,
> including what type of computer the server is running on.
> 
> > 
> > Thanks for your help, Rob. I'm filing my article this afternoon so email me
> > as soon as you can.
> > 
> > Sincerely,
> > 
> > Nick 
> > 
> > P.S. I've also email Brian Behlendfor, but because of my deadline I thought
> > I'd try to contact you as well.
> > 
> > 
> > 




Mime
View raw message