httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eric Jacobs <>
Subject [patch] Fix cross-user symlink race condition vulnerability
Date Wed, 31 Oct 2012 04:46:47 GMT
There is a race condition vulnerability in httpd 2.2.23 (also present in 
previous releases) that allows a malicious user to serve arbitrary files 
from nearly anywhere on a server that isn't protected by strict os level 
permissions. In a shared hosting environment, this is a big vulnerability.

If you would like more information on the exploit itself, please let me 
know. I have a proof of concept that is able to hit the exploit with 
100% success.

This is my first patch submitted to Apache, so I'm sorry if I've missed 
something. I'm aware that this doesn't meet some of the code standards 
that are in place (e.g, it doesn't work at all on Windows), but I wanted 
to put it out there anyway.

The patch that fixes the vulnerability is attached. Thank you in advance 
for the feedback.


Eric Jacobs
Junior Systems Administrator

View raw message