[1513] in bugtraq
Re: HTTPD bug
daemon@ATHENA.MIT.EDU (Baba Z Buehler)
Mon Apr 17 16:58:47 1995
Reply-To: Baba Z Buehler <baba@beckman.uiuc.edu>
From: Baba Z Buehler <baba@beckman.uiuc.edu>
To: Mr Martin J Hargreaves <ch11mh@surrey.ac.uk>
Cc: Mr Pink <vince@dallas.demon.co.uk>, linux-security@tarsier.cv.nrao.edu,
bugtraq@fc.net
In-Reply-To: Your message of "Sun, 16 Apr 1995 15:22:31 BST."
<Pine.HPP.3.90.950416151608.29632B-100000@central.surrey.ac.uk>
Date: Mon, 17 Apr 1995 08:25:34 -0500
Mr Martin J Hargreaves <ch11mh@surrey.ac.uk> writes:
> On Sun, 16 Apr 1995, Mr Pink wrote:
>
> >
> > Hello all,
> > i was browsing thru alt.2600, as you do, and spotted something of interest
> > it appears there is a problem with the CERN httpd.
> >
> > It allows you to create a directory in a users home dir that can be
> > accessed via mosaic/netscape. well the bad bit of news is, if you sym link
> > this dir to root (/), file ownership becomes non existent.
> >
> > i was easily able to read the shadow passwd file!
> >
>
> This may also be possible with the NCSA daemon. You can set the
> FOLLOW_SYMLINKS variable in $SERVERROOT/conf/access.conf I believe to
> prevent the NCSA one from following any symlinks. However I think it
> defaults to following them. Haven't tested the file permissions under
> these conditions. I think there is a hole if he could read the shadow
> passwords, but that good server admin (not allowing symlinks from user
> directories, not running httpd as root, etc) may prevent the attack
> (possibly why it hasn't been found until now)...
>
the httpd process will read files with the permissions of the user it is
running as. if you run your httpd as root, then you've got a problem.
run httpd as user 'nobody' or some such, and you won't have this problem.
--
# Baba Z Buehler - 'Hackito Ergo Sum'
# Beckman Institute Systems Services, Urbana Illinois
#
# UNIX . . . best if used before: Tue Jan 19 03:14:08 2038 UTC
#
# WWW: http://www.beckman.uiuc.edu/groups/biss/people/baba/
# PGP public key on WWW homepage and key servers (key id: C13D8EE1)
