[1705] in bugtraq


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

NCSA httpd: patch for CGI insecurity

daemon@ATHENA.MIT.EDU (Paul Phillips)
Thu May 4 20:56:58 1995

Date: Thu, 4 May 1995 16:17:55 -0700 (PDT)
From: Paul Phillips <paulp@CERF.NET>
To: www-security@ns2.rutgers.edu, www-managers@list.Stanford.EDU,
        bugtraq@fc.net, httpd@ncsa.uiuc.edu
In-Reply-To: <Pine.SUN.3.91.950504100350.3949A-100000@nic.cerf.net>



On Thu, 4 May 1995, Paul Phillips wrote:

> It was pointed out that fchdir could conceivably be used to escape a 
> chrooted area.  I also really don't like the idea that a CGI can log an 
> arbitrary amount of false information.  Trashing the log files at least 
> informs the web admin that something is up, but information warfare can 
> be more dangerous than information vandalism.

Sorry to quote myself, but this is quite more serious than I had 
originally painted it.  I know of some commercial web space providers 
that charge by the byte for bandwidth used.  If I have an account and CGI 
access on the same server that someone else does, what is to stop me from 
logging lots of entries for someone else on the server, greatly 
increasing their tab? Nothing.  In fact, with a single CGI I could fork 
another process that sits around in the background and logs accesses to 
my enemies every minute or so.

Not good.  Anyone running any NCSA server that uses the logs for 
billing is on thin ice.  On that note, here is a patch for httpd1.4 that 
fixes the problem.


*** http_log.c.orig     Thu May  4 16:00:27 1995
--- http_log.c  Thu May  4 16:13:26 1995
***************
*** 57,62 ****
--- 57,64 ----
  extern char *save_name;

  void open_logs() {
+     int flags;
+
      if(!(error_log = fopen(error_fname,"a"))) {
          fprintf(stderr,"httpd: could not open error log file %s.\n",
                  error_fname);
***************
*** 81,86 ****
--- 83,106 ----
          perror("fopen");
          exit(1);
      }
+
+     /* set close-on-exec flag so CGI's cannot get to logs */
+
+     flags = fcntl(fileno(error_log), F_GETFD);
+     flags |= FD_CLOEXEC;
+     fcntl(fileno(error_log), F_SETFD, flags);
+
+     flags = fcntl(xfer_log, F_GETFD);
+     flags |= FD_CLOEXEC;
+     fcntl(xfer_log, F_SETFD, flags);
+
+     flags = fcntl(fileno(agent_log), F_GETFD);
+     flags |= FD_CLOEXEC;
+     fcntl(fileno(agent_log), F_SETFD, flags);
+
+     flags = fcntl(fileno(referer_log), F_GETFD);
+     flags |= FD_CLOEXEC;
+     fcntl(fileno(referer_log), F_SETFD, flags);
  }

  void close_logs() {


------------ End patch -----------------

--
Paul Phillips                                 EMAIL: paulp@cerf.net  
WWW: http://www.primus.com/staff/paulp/       PHONE: (619) 220-0850


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[1705] in bugtraq

NCSA httpd: patch for CGI insecurity

daemon@ATHENA.MIT.EDU (Paul Phillips)Thu May 4 20:56:58 1995

daemon@ATHENA.MIT.EDU (Paul Phillips)
Thu May 4 20:56:58 1995