httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Graham Leggett <minf...@sharp.fm>
Subject Re: [patch] Fix cross-user symlink race condition vulnerability
Date Wed, 31 Oct 2012 11:31:06 GMT
On 31 Oct 2012, at 6:46 AM, Eric Jacobs <ejacobs@bluehost.com> wrote:

> There is a race condition vulnerability in httpd 2.2.23 (also present in previous releases)
that allows a malicious user to serve arbitrary files from nearly anywhere on a server that
isn't protected by strict os level permissions. In a shared hosting environment, this is a
big vulnerability.
> 
> If you would like more information on the exploit itself, please let me know. I have
a proof of concept that is able to hit the exploit with 100% success.
> 
> This is my first patch submitted to Apache, so I'm sorry if I've missed something. I'm
aware that this doesn't meet some of the code standards that are in place (e.g, it doesn't
work at all on Windows), but I wanted to put it out there anyway.
> 
> The patch that fixes the vulnerability is attached. Thank you in advance for the feedback.

As this is reported as a security issue, would it be possible instead to email the details
to security@httpd.apache.org, and we can take a look?

Regards,
Graham
--


Mime
View raw message