Re: NCSA httpd again: CGI scripts and log file descriptors

• To: Prentiss Riddle <riddle@is.rice.edu>
• Subject: Re: NCSA httpd again: CGI scripts and log file descriptors
• From: Paul Phillips <paulp@cerf.net>
• Date: Thu, 4 May 1995 10:14:29 -0700 (PDT)
• cc: www-security@ns2.rutgers.edu, httpd@ncsa.uiuc.edu
• In-Reply-To: <199505041513.KAA29516@is.rice.edu>

On Thu, 4 May 1995, Prentiss Riddle wrote:

> Would anyone care to comment on Phillips' speculation as to whether
> this hole could do more than trash your logs?

It was pointed out that fchdir could conceivably be used to escape a 
chrooted area.  I also really don't like the idea that a CGI can log an 
arbitrary amount of false information.  Trashing the log files at least 
informs the web admin that something is up, but information warfare can 
be more dangerous than information vandalism.

> Furthermore, assuming you have tight restrictions on the CGI scripts
> you make available, is there any reason to believe that this could be
> exploited by malicious *users* (as opposed to malicious CGI authors)?

Nope, unless augmented by another hole that subverts the path translation 
mechanism in httpd to execute CGIs.

I just tested httpd1.4, the hole is still there.  I didn't receive any 
comment from NCSA when I informed them of it the first time, and I did 
describe the fix (setting the close-on-exec flag of the fds.) 

--
Paul Phillips                                 EMAIL: paulp@cerf.net  
WWW: http://www.primus.com/staff/paulp/       PHONE: (619) 220-0850

• NCSA httpd: patch for CGI insecurity
• From: Paul Phillips <paulp@cerf.net>

• NCSA httpd again: CGI scripts and log file descriptors
• From: riddle@is.rice.edu (Prentiss Riddle)

• Previous: NCSA httpd again: CGI scripts and log file descriptors
• Next: iKP requirement for privacy
• Index(es):
  • Index
  • Thread