httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eric Covener <cove...@gmail.com>
Subject Re: [patch] Fix cross-user symlink race condition vulnerability
Date Wed, 31 Oct 2012 12:00:49 GMT
On Wed, Oct 31, 2012 at 7:31 AM, Graham Leggett <minfrin@sharp.fm> wrote:
> On 31 Oct 2012, at 6:46 AM, Eric Jacobs <ejacobs@bluehost.com> wrote:
>
>> There is a race condition vulnerability in httpd 2.2.23 (also present in previous
releases) that allows a malicious user to serve arbitrary files from nearly anywhere on a
server that isn't protected by strict os level permissions. In a shared hosting environment,
this is a big vulnerability.
>>
>> If you would like more information on the exploit itself, please let me know. I have
a proof of concept that is able to hit the exploit with 100% success.
>>
>> This is my first patch submitted to Apache, so I'm sorry if I've missed something.
I'm aware that this doesn't meet some of the code standards that are in place (e.g, it doesn't
work at all on Windows), but I wanted to put it out there anyway.
>>
>> The patch that fixes the vulnerability is attached. Thank you in advance for the
feedback.
>
> As this is reported as a security issue, would it be possible instead to email the details
to security@httpd.apache.org, and we can take a look?
>

In general that is the proper form -- but this particular issue is
documented as a limitation:

"Omitting this option should not be considered a security restriction,
since symlink testing is subject to race conditions that make it
circumventable."

Mime
View raw message