[Previous] [Next] [Index]
[Thread]
Re: NCSA httpd again: CGI scripts and log file descriptors
On Thu, 4 May 1995, Prentiss Riddle wrote:
> Would anyone care to comment on Phillips' speculation as to whether
> this hole could do more than trash your logs?
It was pointed out that fchdir could conceivably be used to escape a
chrooted area. I also really don't like the idea that a CGI can log an
arbitrary amount of false information. Trashing the log files at least
informs the web admin that something is up, but information warfare can
be more dangerous than information vandalism.
> Furthermore, assuming you have tight restrictions on the CGI scripts
> you make available, is there any reason to believe that this could be
> exploited by malicious *users* (as opposed to malicious CGI authors)?
Nope, unless augmented by another hole that subverts the path translation
mechanism in httpd to execute CGIs.
I just tested httpd1.4, the hole is still there. I didn't receive any
comment from NCSA when I informed them of it the first time, and I did
describe the fix (setting the close-on-exec flag of the fds.)
--
Paul Phillips EMAIL: paulp@cerf.net
WWW: http://www.primus.com/staff/paulp/ PHONE: (619) 220-0850
Follow-Ups:
References: