www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Phil Rosenthal <win...@villaweb.net>
Subject mod_log-any/2085: Logfiles provide a big backdoor in apache v*
Date Mon, 20 Apr 1998 22:54:33 GMT

>Number:         2085
>Category:       mod_log-any
>Synopsis:       Logfiles provide a big backdoor in apache v*
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Mon Apr 20 17:10:01 PDT 1998
>Originator:     winter@villaweb.net
>Release:        ALL
Linux 2.0.33
Linux frozen.villaweb.net 2.0.33 #7 Sun Mar 29 06:19:26 EST 1998 i586 unknown  
I was trying to hack my box (just to see if/how others could), and I found
a very big, and dangerous flaw...
I had a logfiles directory for every user where they had all the standard
Apache logs...
ln -s /etc/passwd TransferLog
I went and rehashed httpd (as root, sooner or later, all admins rehash webservers)
killall -HUP httpd
and, voila, I (as a regular user) now had write access to /etc/passwd
you cant control what gets written, but, it is still very dangerous...
I also found a temporary fix, but I think there should be an option in
apache where you control what user writes the logfile...
I compiled the "rotatelogs" program (its in one of the apache source
subdirs), and put it in /usr/bin
I added a "htlogd" user, and chown'd the file to htlogd.htlogd, and made
it suid, so it executes as user htlogd
adduser htlogd ; chown htlogd.htlogd rotatelogs ; chmod 4700 rotatelogs
I made all of the logfiles dirs owned by htlogd, and I changed all of the
logfile lines in httpd.conf in this fasion:
TransferLog "/home/website.com/logfiles/TransferLog"
TransferLog "|rotatelogs /home/website.com/logfiles/TransferLog 86400"

It is a fairly good temporary fix...
[In order for any reply to be added to the PR database, ]
[you need to include <apbugs@Apache.Org> in the Cc line ]
[and leave the subject line UNCHANGED.  This is not done]
[automatically because of the potential for mail loops. ]

View raw message