httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ruediger Pluem <rpl...@apache.org>
Subject Re: [Fwd: Apache httpd vulenrabilities]
Date Tue, 29 May 2007 23:09:16 GMT


On 05/29/2007 11:28 PM, William A. Rowe, Jr. wrote:
> Ian Holsman wrote:
> 
>>Hey Bill
>>
>>just to clarify these are LOCAL DoS attacks? ie you need access to the
>>machine (or the ability to execute php) in order for this to be an issue?
> 
> 
> AIUI all of these are loading modules of untrusted code (or a scripting
> language which gives you the same effect.)  Now mod_perl has minimal
> presumption that it can be used to run untrusted code, while the PHP
> community anticipates running untrusted code.  The httpd community is
> (mostly) suspect on invoking untrusted code in-process.
> 
> That said, #2/3 looks like the only significant issue IMHO.  That the
> parent could be cooerced to do something 'as root' is badness, and
> we can agree with the reporter on that.  As the reporter apparently
> believes 2 weeks is enough to solve any security issue, these are now
> public.

2 weeks? The text in the reporters mail (see end of mail) speaks about
May 16th, 2006. This would be about a year (and this is mentioned as
reason for publishing) When did they actually send this to security@
and to which (security@apache.org, security@httpd.apache.org)?

> 
> #1 and #4 are minor, IMHO, as resource consumption is pretty trivial
> if you are running anyone's code on your machine, through the facilities
> of serving httpd or giving them a local user account.  I'd classify #1
> as a bug, and #4 as silly but possibly worth patching.
> 
> Essentially, PID tables need to move from the score to a local process
> list only in the parent, and unshared.  That would solve the 80/20 of
> this entire class of issues.

So, I guess #2/#3 happens due to a manipulation of the pids in the scoreboard
which tricks the parent process in sending the signals to the wrong pids (once
it has a need to do so to its children).
Any more details about #1/#4?

Regards

RĂ¼diger

>>>
>>>
>>>The information on the vulnerabilities above was sent to Apache
>>>Software Foundation on 16 May, 2006. For over 1 year no official patch
>>>has been issued. PSNC Security Team is currently working on its own,
>>>unofficial patches. Our patches will be published on 18 June, 2007 on
>>>the team webpage (http://security.psnc.pl). On 20 June, 2007 the
>>>detailed information on the found vulnerabilities will be issued.
>>>
>>>
>>>PSNC Security Team
>>>

Mime
View raw message