httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dean Gaudet <>
Subject Re: Bug in apache httpd 1.1.3 (fwd)
Date Mon, 17 Feb 1997 03:20:28 GMT

---------- Forwarded message ----------
Date: Sun, 16 Feb 1997 19:16:33 -0800 (PST)
From: Dean Gaudet <>
To: Mihai Ibanescu <misa@THOR.INFOIASI.RO>
Subject: Re: Bug in apache httpd 1.1.3

Only some architectures require the apache_status file (those which don't
implement mmap or shared mem "well enough" for some definition of well
enough that I'm too lazy to dig out of the archives).  Linux is one of
them, solaris isn't.

In 1.2b6 that file has been moved to "logs/apache_runtime_status" which
places it in the ServerRoot.  There are also some notices in the
documentation about the security implications of log file and parent
directory ownership.  So the problem is effectively not there on systems
that are configured correctly.

A temporary fix under 1.1.3 and earlier would be to add the following to
your httpd.conf:

ScoreBoardFile /path/to/root-writeable-only-directory/apache_status

For some appropriate directory.  But note that the same problem exists
with all the log files as well, so your log directory should be
root-writeable only. 

We're open to portable solutions... but as of yet, the 1.2 betas only
document the security implications of this problem and don't do anything
to restrict or warn about it at run time.


On Sun, 16 Feb 1997, Mihai Ibanescu wrote:

>         Hello!
>         I noticed something interesting on my RedHat linux system (and on
> some other linuxes).
>         httpd creates a file /tmp/apache_status, and follows blindly any
> link if /tmp/apache_status points somewhere, for instance /etc/passwd. So
> one can overwrite any file in the system. If she is able to create such a
> link, and I don't think that's impossible.
>         The funny thing is that I have apache 1.1.3 installed on a SPARC
> Solaris, and the problem doesn't exist there. So am I paranoid, or is
> there a problem in the Apache server?
>                                                 Misa
> Department of Computer Science          Mihai Ibanescu
> "Al. I. Cuza" Univ. of Iasi             e-mail:
> Romania                       

View raw message