[2075] in bugtraq
Re: SECURITY HOLE: "Guestbook"
daemon@ATHENA.MIT.EDU (Pat The Friendly RedNeck)
Fri Aug 4 17:03:11 1995
Date: Thu, 3 Aug 1995 10:21:54 -0700
Reply-To: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
From: Pat The Friendly RedNeck <pat@WOLFE.net>
X-To: BUGTRAQ@CRIMELAB.COM
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@CRIMELAB.COM>
In-Reply-To: <199508030504.WAA23810@nic.cerf.net> from "Paul Phillips" at Aug
2, 95 10:04:32 pm
> The version of "Guestbook" available at
> <URL:http://alpha.pr1.k12.co.us/~mattw/scripts/guestbook.html>
> allows execution of arbitrary commands under the server UID.
> [ ... ]
> It's the same old story -- forks a shell and sends off user
> supplied form data without checking it at all. In my probes
> I'm also finding sites running their webservers as root...
> BAD BAD. DON'T DO THIS.
Thanks for the alert.
Aren't most servers configured to change to nobody/nogroup, only being
launched as root so it can bind to port 80? Looking at the code (ncsa
httpd), all privs are given up as soon as the config file is read, when
it does a setuid(user_id), the user_id, read from httpd.conf User and
group entries, and usually set to be nobody and nogroup (UID 65534/GID
65534 on most systems).
Surely folks are not putting root in the httpd.conf User field...
> Followups to comp.infosystems.www.authoring.cgi, please.
> --
> Paul Phillips | "Click _here_ if you do not
> <URL:mailto:paulp@cerf.net> | have a graphical browser"
> <URL:http://www.primus.com/staff/paulp/> | -- Canter and Siegel, on
> <URL:pots://+1-619-220-0850/is/paul/there?> | their short-lived web site
--
#include <std.disclaimer> Pat Myrto (pat@Wolfe.NET) Seattle WA
A sysadmin's life is a sorry one. The only advantage he has over Emergency
Room doctors is that malpractice suits are rare. On the other hand, ER
doctors never have to deal with patients installing new versions of their
own innards! -Michael O'Brien
