|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Apache 2.x leaked descriptors
From: Joe Orton (jorton
redhat.com)
Date: Thu Mar 13 2003 - 06:51:45 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I think you can be more inventive on what a malicious script author can
if they can run arbitrary code from a CGI script, under the Apache
model: here are some things I can up with:
- using ptrace() on an httpd child: now you can get the httpd child to
run arbitrary code, so "fd leaks" from child to CGI script are really
irrelevant. (This is an old trick: nCipher used this as a demo of how to
extract in-server SSL private keys using a CGI script)
- send signals to the server children: SIGSTOP will make a quick'n'easy
DoS.
I'm sure there are more. The bottom line is that you must trust CGI
script authors with the priviledges of the user which httpd runs as.
Regards,
joe
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]