[2204] in bugtraq
Re: httpd symlinks
daemon@ATHENA.MIT.EDU (Daniel S. Riley)
Mon Sep 4 22:47:00 1995
Date: Mon, 4 Sep 1995 16:21:05 -0400
Reply-To: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
From: "Daniel S. Riley" <dsr@lns61.tn.cornell.edu>
X-To: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@CRIMELAB.COM>
In-Reply-To: Martin Hargreaves's message of Sat, 2 Sep 1995 14:37:17 +0100
>> Try adding this to "access.conf" on apache 0.8.11 or ncsa 1.4 (not sure
>> about how CERN handles this). "SymLinksIfOwnerMatch" is only vaguely
>> documented.
SymLinksIfOwnerMatch, at least in NCSA httpd 1.4 through 1.5b3, is
also broken. Here's the bug report I submitted to the ncsa-httpd
team:
SymLinksIfOwnerMatch can be trivially defeated. The check code
basically does
lstat(path,&fi);
[...]
bsz = readlink(path,realpath,256);
[...]
lstat(realpath,&lfi);
if(fi.st_uid != lfi.st_uid)
goto gong;
which can be fooled by creating a soft link to a soft link to the
target file. The second lstat should be a stat(), and the whole
thing could be substantially simplified--something like
lstat(path,&fi);
if(!(S_ISREG(fi.st_mode))) {
if(opts[n] & OPT_SYM_OWNER) {
if (stat(path,&lfi) == -1)
goto gong;
if(fi.st_uid != lfi.st_uid)
goto gong;
}
should be sufficient (be sure to fix both instances).
