Re: SECURITY HOLE: "Guestbook"

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Neil Woods: "Re: SECURITY HOLE: FormMail"
• Previous message: That Whispering Wolf...: "Re: SECURITY HOLE: "Guestbook""
• Maybe in reply to: Paul Phillips: "SECURITY HOLE: "Guestbook""
• Next in thread: M. Zaiem Beg: "Re: SECURITY HOLE: "Guestbook""

         > The version of "Guestbook" available at
         > <URL:http://alpha.pr1.k12.co.us/~mattw/scripts/guestbook.htm>
         > allows execution of arbitrary commands under the server UID.
         > [ ... ]

         > It's the same old story -- forks a shell and sends off user
         > supplied form data without checking it at all.  In my probes
         > I'm also finding sites running their webservers as root...
         > BAD BAD.  DON'T DO THIS.

         Thanks for the alert.

         Aren't most servers configured to change to nobody/nogroup, only being
         launched as root so it can bind to port 80?  Looking at the code (ncsa
         httpd), all privs are given up as soon as the config file is read, when
         it does a setuid(user_id), the user_id, read from httpd.conf User and
         group entries, and usually set to be nobody and nogroup (UID 65534/GID
         65534 on most systems).

         Surely folks are not putting root in the httpd.conf User field...

For the most part, that's the wrong issue.  The real problem is
letting someone have access at all; most of today's UNIX hosts are
far weaker against attack by someone who already has shell access.
You have to keep the Bad Guys off your machine in the first place;
there are in general so many ways to get root that it doesn't matter
that much whether the initial access is as root or as nobody.

• Next message: Neil Woods: "Re: SECURITY HOLE: FormMail"
• Previous message: That Whispering Wolf...: "Re: SECURITY HOLE: "Guestbook""
• Maybe in reply to: Paul Phillips: "SECURITY HOLE: "Guestbook""
• Next in thread: M. Zaiem Beg: "Re: SECURITY HOLE: "Guestbook""