httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christophe JAILLET <christophe.jail...@wanadoo.fr>
Subject Re: [patch] Fix cross-user symlink race condition vulnerability
Date Wed, 31 Oct 2012 07:10:09 GMT
Le 31/10/2012 05:46, Eric Jacobs a écrit :
> There is a race condition vulnerability in httpd 2.2.23 (also present 
> in previous releases) that allows a malicious user to serve arbitrary 
> files from nearly anywhere on a server that isn't protected by strict 
> os level permissions. In a shared hosting environment, this is a big 
> vulnerability.
>
> If you would like more information on the exploit itself, please let 
> me know. I have a proof of concept that is able to hit the exploit 
> with 100% success.
>
> This is my first patch submitted to Apache, so I'm sorry if I've 
> missed something. I'm aware that this doesn't meet some of the code 
> standards that are in place (e.g, it doesn't work at all on Windows), 
> but I wanted to put it out there anyway.
>
> The patch that fixes the vulnerability is attached. Thank you in 
> advance for the feedback.
>

Hi,

could you please open a bug report on bugzilla 
(https://issues.apache.org/bugzilla/) so that your message and proposed 
patch does not get lost in this mailing list.

Thanks in advance.

Best regards,
Christophe JAILLET


Mime
View raw message