Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Re: HTTPD bugBaba Z Buehler (bababeckman.uiuc.edu)
Mon, 17 Apr 1995 08:25:34 -0500
- Messages sorted by: [ date ][ thread ][ subject ][ author ]
- Next message: carsonlehman.com: "Re: HTTPD bug"
- Previous message: John F. Haugh II: "Re: passwd hashing algorithm"
- In reply to: Mr Martin J Hargreaves: "Re: HTTPD bug"
- Next in thread: Mr Martin J Hargreaves: "Re: HTTPD bug"
Mr Martin J Hargreaves <ch11mhsurrey.ac.uk> writes: > On Sun, 16 Apr 1995, Mr Pink wrote: > > > > > Hello all, > > i was browsing thru alt.2600, as you do, and spotted something of interest > > it appears there is a problem with the CERN httpd. > > > > It allows you to create a directory in a users home dir that can be > > accessed via mosaic/netscape. well the bad bit of news is, if you sym link > > this dir to root (/), file ownership becomes non existent. > > > > i was easily able to read the shadow passwd file! > > > > This may also be possible with the NCSA daemon. You can set the > FOLLOW_SYMLINKS variable in $SERVERROOT/conf/access.conf I believe to > prevent the NCSA one from following any symlinks. However I think it > defaults to following them. Haven't tested the file permissions under > these conditions. I think there is a hole if he could read the shadow > passwords, but that good server admin (not allowing symlinks from user > directories, not running httpd as root, etc) may prevent the attack > (possibly why it hasn't been found until now)... > the httpd process will read files with the permissions of the user it is running as. if you run your httpd as root, then you've got a problem. run httpd as user 'nobody' or some such, and you won't have this problem. -- # Baba Z Buehler - 'Hackito Ergo Sum' # Beckman Institute Systems Services, Urbana Illinois # # UNIX . . . best if used before: Tue Jan 19 03:14:08 2038 UTC # # WWW: http://www.beckman.uiuc.edu/groups/biss/people/baba/ # PGP public key on WWW homepage and key servers (key id: C13D8EE1)