Bugtraq mailing list archives
Re: apache+ssl 1.13 symlink problem
From: ben () ALGROUP CO UK (Ben Laurie)
Date: Tue, 24 Mar 1998 18:57:51 +0000
Ondrej Suchy wrote:
Hi all. Sorry if this was already mentioned, but ... Apache SSL server has similar symlink problem as updatedb (and thousands of others programs). I don't know about the other versions, but at least ssl 1.13 patch for apache 1.2.5 contains following line in default configuration: SSLLogFile /tmp/ssl.log which makes httpsd log it's activity to that file. Any file can be linked to /tmp/ssl.log and httpsd will happily append something like "CIPHER is blah-blah" to it. I could not make it to root access, but I can't say it's impossible. (Maybe through .rhosts?) Note that this problem is not affected by setting the User and Group directives in the configuration to nobody or other unprivileged user, since httpd often starts as root, writes to log files and THEN changes its uid. (There is probably the same problem with /tmp/ssldebug log file, I didn't test it.)
The /tmp/ssldebug file is not created if you use an up-to-date version of SSLeay (i.e. v 0.8.x). However, as a precaution, I will comment it out for future versions. /tmp/ssl.log may be a risk - I will document it as such for future versions, but I'd note that the example config (which is _not_ a default config) will not generally work on any system except mine, so this directive would only be included in a real config if included by the sysadmin. Thanks for the report. It would've been courteous to let me do something about it before posting to a public forum, though. Cheers, Ben. -- Ben Laurie |Phone: +44 (181) 735 0686| Apache Group member Freelance Consultant |Fax: +44 (181) 735 0689|http://www.apache.org and Technical Director|Email: ben () algroup co uk | A.L. Digital Ltd, |Apache-SSL author http://www.apache-ssl.org/ London, England. |"Apache: TDG" http://www.ora.com/catalog/apache
Current thread:
- Re: apache+ssl 1.13 symlink problem Ben Laurie (Mar 24)
- Re: apache+ssl 1.13 symlink problem; NcFTP 2.4.2+ Mike Gleason (Mar 24)
- Clarification Mike Gleason (Mar 24)
- Protocol Aleph One (Mar 24)
- SECURITY: new svgalib and kbd now available Erik Troan (Mar 25)
- Sumbit Internet Account v1.1 Dax Kelson (Mar 25)
- Majordomo /tmp exploit Karl G - NOC Admin (Mar 26)
- FW: mysql: Trivial mSQL/MySQL DoS method? (fwd) Michael Widenius (Mar 26)
- Re: Majordomo /tmp exploit Steven Pritchard (Mar 26)
- easy DoS in most RPC apps Peter van Dijk (Mar 28)
- Netscape passes mailbox path and message ID as refferer Rop Gonggrijp (Mar 28)
- Majordomo /tmp exploit Karl G - NOC Admin (Mar 26)
(Thread continues...)