OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq archives for 2nd quarter (Apr-Jun) 1995: Re: HTTPD bug

Re: HTTPD bug

Baba Z Buehler (bababeckman.uiuc.edu)
Mon, 17 Apr 1995 08:25:34 -0500

Mr Martin J Hargreaves <ch11mhsurrey.ac.uk> writes:

> On Sun, 16 Apr 1995, Mr Pink wrote:
> 
> > 
> > Hello all,
> > i was browsing thru alt.2600, as you do, and spotted something of interest
> > it appears there is a problem with the CERN httpd.
> > 
> > It allows you to create a directory in a users home dir that can be 
> > accessed via mosaic/netscape.  well the bad bit of news is, if you sym link
> > this dir to root (/), file ownership becomes non existent.
> > 
> > i was easily able to read the shadow passwd file!
> > 
> 
> 	This may also be possible with the NCSA daemon. You can set the 
> FOLLOW_SYMLINKS variable in $SERVERROOT/conf/access.conf I believe to 
> prevent the NCSA one from following any symlinks. However I think it 
> defaults to following them. Haven't tested the file permissions under 
> these conditions. I think there is a hole if he could read the shadow 
> passwords, but that good server admin (not allowing symlinks from user 
> directories, not running httpd as root, etc) may prevent the attack 
> (possibly why it hasn't been found until now)...
> 

the httpd process will read files with the permissions of the user it is
running as.  if you run your httpd as root, then you've got a problem.

run httpd as user 'nobody' or some such, and you won't have this problem.

--
# Baba Z Buehler - 'Hackito Ergo Sum'
# Beckman Institute Systems Services, Urbana Illinois
#
#   UNIX . . . best if used before: Tue Jan 19 03:14:08 2038 UTC
#
# WWW: http://www.beckman.uiuc.edu/groups/biss/people/baba/
# PGP public key on WWW homepage and key servers (key id: C13D8EE1)