www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bram Kivenko <b...@xspace.com>
Subject suexec/237: Inappropriate bypass of suexec / Inappropriate usage of suexec
Date Mon, 17 Mar 1997 12:00:02 GMT

>Number:         237
>Category:       suexec
>Synopsis:       Inappropriate bypass of suexec / Inappropriate usage of suexec
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    apache (Apache HTTP Project)
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Mon Mar 17 04:00:02 1997
>Originator:     bram@xspace.com
>Release:        1.2b7
UNIX (physically checked 1.2b6)
(a) Bypass:
     I believe, that it is possible to bypass suexec with the use of an "nph-*"
     CGI.  This gives server permission state to the CGI, could be root, or
     possibly allow a user to erase the web server!

(b) Usage:
     I have since replaced the suexec utility, finding it rather dangerous,
     however, what prevents someone running the suexec command from a shell
     possibly to take advantage of extra executables in public_html directory?
(a) Create an nph- CGI!
(b) Run suexec from a shell, substituting your own information and parameters!
(a)  have nph- CGI's also call SUEXEC.
(b)  I have temporarily amended this problem by passing on a secret password
     to suexec -- this is obviously a poor improvement.  This password is added
     just before calling suexec and rests securely only if the source code is
     unreadable!  A better suggestion would be to verify that the calling
     process was the web-server...  Don't know how to do that

View raw message