Re: CGI script insecurity in NCSA httpd

Jeremy Fitzhardinge (jeremy@sour.sw.oz.au)
Fri, 28 Apr 1995 16:32:54 +1000 (EST)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Lorna Leong : "Re: Good Times "virus" question"
Previous message: Colin Jenkins : "Good Times "virus" info received. Thanks to all."

> Greetings, all.  Anyone with access to CGI scripts on your server can
> destroy all your logfiles and possible wreak other havoc.  
>[...]
> whether cracking root was possible.  It does not appear so, since fchmod
> checks the euid of the process even though it has an open descriptor,
> and this is normally "nobody".  HOWEVER, I have not given the matter an 
> enormous amount of thought, so a greater vulnerability may exist here.
> I welcome comments.

If it leaves a directory open, the CGI script could use fchdir()
(on those systems where it exists) to escape a chrooted area.
fchdir() needs no special permissions, but the process would have
to be allowed into the destination directory (that is, it needs to
be executable set for the CGI script's credentials).

	J

Next message: Lorna Leong : "Re: Good Times "virus" question"
Previous message: Colin Jenkins : "Good Times "virus" info received. Thanks to all."