httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <ma...@znep.com>
Subject Re: Apache security problems (fwd)
Date Thu, 16 Jan 1997 01:48:53 GMT
On Thu, 16 Jan 1997, Rob Hartill wrote:

> 
> Does anyone who actually did some of the work fixing the holes want to
> talk to Nick ?
> 
> If you just watched as other fixed it (like me), don't use this to
> just to get some personal PR points :-)
> 
> The answers seem to be
> 
> 	- the seriousness is unknown since we're not aware of an exploit
> 	   it could affect any of the N00,000 users of Apache.
> 	- ?
> 	- no
> 	- the potential to add new code/data into the program where it
> 	   should be.

What I would say is below, but I think it is too technical.  <sigh>
Problem is that you either have to lie and give an overly simplistic
version, or you have to have the person report a completely wild and crazy
version of it.  The first case, you get a wrong version in the press but
at least you get to make up what wrong version it is.

I think it is important to note that the mod_cookie hole is NOT an easy
exploit and is likely impossible to exploit.    I have already seen people
saying Apache has a huge hole that gives you instant root on any server it
runs on...

I think you also have to be very careful using the term "data" because
people will immediately think of the web pages they have stored on the
server as the data.

> 
> Check with Brian that he hasn't already responded.

It is after afternoon right now, so it is likely a bit late.  Brian, if
you haven't responded say so.  I'm not sure my answer below is of much use
even if it isn't too late and there hasn't been a response, but if it is I
would encourage someone to tell me to send it to him or forward it... 

> 
> ---------- Forwarded message ----------
> Date: Wed, 15 Jan 1997 15:20:15 -0800
> From: Nick Wingfield <nickw@central.cnet.com>
> To: Rob Hartill <robh@imdb.com>
> Subject: Apache security problems
> 
> Rob,
> 
> I saw the alert on the security problems in Apache 1.1.1. Would you mind
> answering a few questions for an article that I'm doing on the security
> problems? (I'd like to quote your responses unless you prefer that I don't.) 
> 
> --Can you tell me how serious the problems were and how many users they
> might affect? 

There are two distinct problems.  One is that it is possible to get a
listing of the files in a directory even though there is an
index file (such as 'index.html') which should be shown instead.  This
does not allow access to any information which would not otherwise be
available, but anyone relying on people not knowing the URL for something
to hide it should take note.

The second problem is that the length of some information which can be
controlled by remote sites (the hostname, eg. central.cnet.com, of the
client connecting) was not being limited properly, so someone could
manipulate their hostname and overwrite other things in memory if it were
of an unusual length.

The problems can potentially affect all of the several hundred thousand
servers running a Apache.

> --How could the problems be expolited by someone? 

To get a directory listing of a directory even though there is an index
file, people simply need to enter a particular URL into their browser
which makes the server think it can't find the index file.

The second hole is, at best, extremely difficult to exploit, and may well
not be possible to exploit to compromise security.  Manipulating your
hostname is not an easy task, and even when you do that it would have to
be in a very specific form to allow you to gain access to the web server.
Even if you could do this, it would not be superuser (ie. root) access,
so you would still not have complete control over the machine.

> --To your knowledge, has anyone exploited the security holes in Apache?

The first one, yes.  The second one, no.  The second one is only a very
remote possibility and I am quite doubtful that it can be exploited.
However, our policy is that if there is any chance of there being a
problem we need to release a fixed version as soon as possible; better
safe than sorry.  

> --What does "scribbling a memory stack" mean in laymen's terms? 

Overwriting memory which is not supposed to be used for the data involved.
If you then are able to manage to put the right data in the right place it
is possible to make the web server do undesirable things.  Simply
overwriting the memory does nothing to allow you to exploit the hole, but
it has to be done in a very particular way which depends on many things,
including what type of computer the server is running on.

> 
> Thanks for your help, Rob. I'm filing my article this afternoon so email me
> as soon as you can.
> 
> Sincerely,
> 
> Nick 
> 
> P.S. I've also email Brian Behlendfor, but because of my deadline I thought
> I'd try to contact you as well.
> 
> 
> 


Mime
View raw message