[22085] in bugtraq
Re: Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate
daemon@ATHENA.MIT.EDU (Nasir Simbolon)
Thu Aug 2 12:20:55 2001
Message-ID: <3B68EDB0.71F9821@3wsi.com>
Date: Thu, 02 Aug 2001 13:05:36 +0700
From: Nasir Simbolon <nasir@3wsi.com>
MIME-Version: 1.0
To: bugtraq@securityfocus.com
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Olaf Bohlen wrote:
> But: no user (except root) should be able to gain access to nobody. so
> this is not a security hole imho.
>
> Also if you run apache-cgi's as user, apache chowns to the owner of the
> cgi before executing it:
>
>
If apache run by uid nobody, All accounts system will have gain access to
nobody if :
1. you installed php as module of apache
2. configure php as default
all you have to do is create a php script that execute code
eg.
<?php
system("/path/to/locate-exploite");
?>
put this script in your public_html directory and access this file from
your browser.
This script will execute by php uid nobody.
note : php have directives in php.ini to limit system programs that can
be executed by php :
safe_mode_exec_dir /path/to/exec-dir-allowed
open_basedir /path/to/open-dir-allowed
salam,
/*------------------------------------
--Nasir Simbolon // Web application developer //
--3WSI : 3WSI Web Solutions Indonesia
--http://3wsi.com
--*/
