httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Randy Terbush <ra...@zyzzyva.com>
Subject Re: suexec/269: Server-side include exec cmd with suEXEC bug (fwd)
Date Sun, 06 Apr 1997 19:35:04 GMT
What do you suggest Marc. Should we just check cmd[0] == '/'?


> There are several bug reports on this issue.  Sigh.
> 
> ---------- Forwarded message ----------
> Date: Thu, 27 Mar 1997 07:10:02 -0800 (PST)
> From: Mark Bentley <bentlema@cs.umn.edu>
> To: apache-bugdb@apache.org
> Cc: apache-bugdb@apache.org
> Subject: suexec/269: Server-side include exec cmd with suEXEC bug
> 
> 
> 	The contract type is `' with a response time of 3 business hours.
> 	A first analysis should be sent before: Thu Mar 27 11:00:02 PST 1997
> 
> 
> >Number:         269
> >Category:       suexec
> >Synopsis:       Server-side include exec cmd with suEXEC bug
> >Confidential:   no
> >Severity:       critical
> >Priority:       medium
> >Responsible:    apache (Apache HTTP Project)
> >State:          open
> >Class:          sw-bug
> >Submitter-Id:   apache
> >Arrival-Date:   Thu Mar 27 07:10:02 1997
> >Originator:     bentlema@cs.umn.edu
> >Organization:
> apache
> >Release:        1.2b7
> >Environment:
> 
> >Description:
> An SSI such as:
> 
>  <!--#exec cmd="bin/myscript" -->
> 
> which is relative to UserDir, doesn't work because of these lines in suEXEC:
> 
>     /*
>      * Check for a '/' in the command to be executed,
>      * to protect against attacks.  If a '/' is
>      * found, error out.  Naughty naughty crackers.
>      */
>     if ((strchr(cmd, '/')) != NULL ) {
>         log_err("invalid command (%s)\n", cmd);
>         exit(104);
>     }
> 
>  
> >How-To-Repeat:
> 
> >Fix:
> 
> >Audit-Trail:
> >Unformatted:
> 




Mime
View raw message