Re: Hijacking Apache 2 via mod_perl

[lupe () lupe-christoph de (Lupe Christoph)]

On Wednesday, 2004-01-21 at 22:53:33 -0000, Steve Grubb wrote:

> Product:         mod_perl
> Versions:        1.99_09 / apache 2.0.47
> URL:             http://perl.apache.org
> Impact:          Daemon Hijacking
> Bug class:       Leaked Descriptor
> Vendor notified: Yes
> Fix available:   No
> Date:            01/21/04

> Issue:
> ======
> Mod_perl under apache 2.0.x leaks critical file descriptors that can be used to takeover (hijack) the http and https 
> services.

It does not leak them. Your code reopens them.

Installing your code requires superuser permissions. Or the willingness
of the admin of the machine to trust people with the right to install
code that runs inside Apache.

Much the same can be done with anything that runs inside Apache. For
example, mod_php. So in essence you are complaining that an Apache
extensions has the right to do anything inside Apache it can be
programmed to do.

For example, to receive POST data, the extension code has to be able to
access the FD that connects to the browser. It also has to be able to
write to that FD to send a reply.

To write to a log, it needs write access (mostly through the Apache ABI)
to the log filedescriptors.

Can you suggest a way to avoid this?

I have forwarded your mail to the mod_perl mailing list, which I'm also
Ccing on this mail. Had you taken your problem there first, this
silliness could have been avoided.

The thread starts at
  http://marc.theaimsgroup.com/?l=apache-modperl&m=107475920405755&w=2

Lupe Christoph
-- 
| lupe () lupe-christoph de       |           http://www.lupe-christoph.de/ |
| "Violence is the resort of the violent" Lu Tze                         |
| "Thief of Time", Terry Pratchett                                       |