Bugtraq mailing list archives

Re: HTTPD bug

From: fitz () wang com (Tom Fitzgerald)
Date: Mon, 17 Apr 95 22:01:21 EDT

It allows you to create a directory in a users home dir that can be
accessed via mosaic/netscape.  well the bad bit of news is, if you sym
link this dir to root (/), file ownership becomes non existent.

i was easily able to read the shadow passwd file!

The easy fix is to run the daemon as nobody (which is what I do).
chroot'ing will also take care of this sort of problem.


I do this too (both chrooting and running as a user with no privs) but it
isn't a complete fix.  Users can still read the passwordfiles in the WWW
tree that contain the passwords used to get at restricted documents.  Users
can also read the httpd configuration files and the sources for CGI
scripts, which might be a problem on some systems.

The only real fix is to avoid following symlinks.  This requires a code
change to the CERN httpd, which doesn't have a config-file option for this.

-- 
Tom Fitzgerald    1-508-967-5278    Wang Labs, Lowell MA, USA    fitz () wang com

Current thread:

Re: HTTPD bug Mr Martin J Hargreaves (Apr 16)
- Re: HTTPD bug Darren Reed (Apr 16)
- Re: HTTPD bug Baba Z Buehler (Apr 17)
  - Re: HTTPD bug Mr Martin J Hargreaves (Apr 17)
    - Re: HTTPD bug Joe Konczal (Apr 18)
- Re: HTTPD bug carson () lehman com (Apr 17)
  - Re: HTTPD bug Tom Fitzgerald (Apr 17)