[1506] in bugtraq
Re: HTTPD bug
daemon@ATHENA.MIT.EDU (Mr Martin J Hargreaves)
Sun Apr 16 15:52:23 1995
Date: Sun, 16 Apr 1995 15:22:31 +0100 (BST)
From: Mr Martin J Hargreaves <ch11mh@surrey.ac.uk>
To: Mr Pink <vince@dallas.demon.co.uk>
Cc: linux-security@tarsier.cv.nrao.edu, bugtraq@fc.net
In-Reply-To: <199504160046.AAA00478@dallas.demon.co.uk>
I don't think this has been brought up on bugtraq yet, if it has
sorry. This is from Linux-security, posted by "Mr Pink
(vince@dallas.demon.co.uk) apologies to Mr. Pink for my instant repost.
On Sun, 16 Apr 1995, Mr Pink wrote:
>
> Hello all,
> i was browsing thru alt.2600, as you do, and spotted something of interest
> it appears there is a problem with the CERN httpd.
>
> It allows you to create a directory in a users home dir that can be
> accessed via mosaic/netscape. well the bad bit of news is, if you sym link
> this dir to root (/), file ownership becomes non existent.
>
> i was easily able to read the shadow passwd file!
>
>
> --
>
> "Why should i be frightened of dying? Theres no reason for it.
> You've got to go sometime." - TGGITS
This may also be possible with the NCSA daemon. You can set the
FOLLOW_SYMLINKS variable in $SERVERROOT/conf/access.conf I believe to
prevent the NCSA one from following any symlinks. However I think it
defaults to following them. Haven't tested the file permissions under
these conditions. I think there is a hole if he could read the shadow
passwords, but that good server admin (not allowing symlinks from user
directories, not running httpd as root, etc) may prevent the attack
(possibly why it hasn't been found until now)...
M.
----------------------------------------------------------------
| Martin Hargreaves, ch11mh@surrey.ac.uk|
| Undergraduate Computational Chemist |
| WWW Server Admin http://www.chem.surrey.ac.uk|
----------------------------------------------------------------
